This is why you should refrain from installing add-ons and extensions.

But in all fairness, sometimes the accessing of data is not for nefarious reasons (although it can be).

See:

• https://blog.mozilla.org/addons/2018/02/01/understanding-extension-permission-requests/
• https://support.mozilla.org/en-US/kb/permission-request-messages-firefox-extensions

I have written a number of extensions. Generally speaking, Firefox has 3 options for users to grant permission for an extension to take action in a page:

(1) On demand, by clicking a button or menu item

This is called "activeTab" permission and it's not even mentioned when you install an extension. I try to use this one whenever possible, but it isn't always enough because of cross-site restrictions.

(2) Named sites (with possibility to expand)

If the extension is intended to operate on specific sites, then I can specify all of those in advance.

In some cases, an extension has an optional all sites permission that allows the user to add permission for more sites over time. When you install an extension set up that way, Firefox will tell you that you could later give the extension broader permissions. Here's an example: https://addons.mozilla.org/firefox/addon/no-cache-no-store-for-css/ . Since this is intended for developers to modify responses from sites they work on it's practical to require them to grant permission for each new site. But this is a pain for any extension you want to work on random pages.

(3) All sites

My extensions need to request this permission when the extension needs to do something in a page automatically that cannot wait for you to click a button or menu item to trigger it. It also is needed to monitor background requests that could be sent to any sites and not just a small set of known sites.

Ultimately, the question is whether you can trust the author to use the permission in a safe, sensible, and respectful way, and that isn't always an easy call to make. If you're not sure, don't install it.

I was about to add a couple extensions, a translator, dictionary, etc, yet was taken aback at giving any of them permission to "access all my data for all websites"! This means they can scoop up all my passwords, & personal information, and do whatever they please with them. We're just supposed to trust them, and all their employees, to be good, and resist the temptation to profit from this trove of information?

Granting an extension host permission to a page doesn't let them read data from Lockwise, but if their script is running the page when you type in your login, then that script can read that data. There are some review mechanisms in place to watch out for malicious extensions, but only Recommended Extensions get careful manual review of every update.

Well, thanks for all your input, links, and suggestions, but I'm not really any more knowledgeable about how to determine which extensions/developers should be trusted to have so much access. Plus, that trust may be well-placed, until there's a change in ownership, or even employees, or a situation comes up they may be more tempted to profit from all the data they can gather...

I wonder, if, as FF does, it can let you put some sites on a "do not enter" (or remember, like passwords) list? But even then, they're still on the honor system of whether they abide by it or not. What's the point of making one's passwords or sensitive, personal info (birthdate, mother's maiden name, SS number, etc) secure, when any & ever browser extension one has installed, can easily access all of that? And sure, we can install no extensions, and miss out on using some truly helpful features when browsing. It almost feels like we've reached a technological point where "privacy" is only a figment of our imaginations, and we've traded that for a few more bells & whistles added on to the basic devices (phone, computer, pad, music player, etc) we've become accustomed to using...