I work on a shopping assistant type browser extension and I am very confident that if I proposed an architecture and implementation such as the author identifies here I would be turned down immediately: having good intentions around privacy is one thing but deliberately designing your application in a way that allows to bypass almost entirely the review process required on submission to the store is something that should be answered for.

Steps have been taken toward making this the norm in Chrome but it’s not clear yet to what degree it will be enforced. Already user can chose on install or at a later time to limit the domains an extension is active on (no matter what permissions it requests) and the ‘declarative’ model for interactions (wake on invocation by user or declare rules/lists to be applied on your behalf by the browser itself) is heavily promoted.

It will be interesting to see how the developers of this extension respond to Google’s roll out of extensions Manifest V3 - the new specification could almost be directly targeting them: with service worker replacing background script there will no longer be a concealed window to mount those iframes. Thanks to the author for this write-up