While unsafe-inline prevents execution of scripts, it doesn't prevent another extension from including HTML in one of the URLs it is requesting, and adding DOM elements that might entirely change the display of the extension. Likely not a huge problem here (there are much easier ways to bypass/cheat this extension e.g. by inserting tracking code into the DOM of a visited page so it's executed by that page) but it's definitely not good practice to interpolate HTML with untrusted strings.