Part of the problem is that activeTab makes a ton of the things extensions usually do impossible, so lots of extensions will keep requesting full permissions. I'm not really sure how you fix it. Scoping to a list of domains could potentially work, but adding new domains shuts off your extension so it seems unlikely that anyone could do it when they could request wildcard permissions at install instead.

In practice users want extensions to do stuff that implicitly violates security boundaries, so I think making that stuff secure would basically require Google to build it in. Like for example, 1password naturally needs both a way to intercept entry of new passwords (to offer saving) and a way to detect password fields and type into them. Detecting a password field means you need to be able to scan the DOM and detect when the user is interacting with the field. At the point where you can do that, you can snoop on the user on an important page, activeTab or no.

If the Chrome Web Store offered straightforward ways to sell paid extensions at least then there'd be less reason to embed malware in your extension instead...

My extension (now removed due to legal threats and DMCA abuse) was originally scoped to an application's domain, and then the developer added a new domain so I had to update my extension manifest to add that domain. Doing so shut it off for every user and I had to explain how to turn it back on. Given that experience I should have just put a wildcard in the permissions instead, but I underestimated how bad Chrome's extension infrastructure would be.

That is good! I guess they will eventually transition to this.