Woah 🤩

I’ve always wondered about extensions, and don’t know very much. 

Do they basically have read/write access to everything you do on a webpage by default? Can it be scaled back, or limited by the user, or is it dependent simply on how much info the developers need in order to make it functional?

In short: can one enable an extension, give it their nsec, use it to log into web clients, and still retain moderate privacy in their online activity?