The desktop app does that, not the browser extension, so it should in theory be possible to avoid allowing it to inject arbitrary code which allows connections to anywhere in the browser by limiting it to localhost.
Unfortunately, I’m not sure that a reasonable UI for something like this would be feasible without everyone just being trained to click Approve. Some kind of review process could work but that’d put it back in needing Google to admit that they need to pay humans to operate a service.
Unfortunately, I’m not sure that a reasonable UI for something like this would be feasible without everyone just being trained to click Approve. Some kind of review process could work but that’d put it back in needing Google to admit that they need to pay humans to operate a service.