A get request can leak data via the request path or querystring parameters, if that was restricted you could setup communication which time or frequency imply activity with a morse code like protocol (and with enough requests, easily transfer megabytes of data).
You can just do whatever the modern equivalent of document.trackingPixel.src = 'leak all your data here in a single request', since extensions can modify content blocking. Firefox should ask for, accept, and audit a statement of whether your extension needs to make dynamic network calls or not, and why it needs to do so. Yes, you could lie — but then you'd get caught lying, in violation of, kicked off the store, etc. Today, you can just add tracking, and no one can take any useful action as a result.
100% agree. I think extensions are an odd place to start, but this is the exact reason I avoid browser extensions unless I’ve explicitly audited them (and still don’t like they auto update without permission).
