I think the intent was to comment that extensions don't protect programs with embedded web views, like the steam store. I'd hope the steam store is using https though...

Only on checkout pages. For the rest of the storefront they actually redirect you from HTTPS to HTTP.

That's especially bad, because you can't actually see the origin or whether TLS is in use from the store's interface...