The article largely hinges on “extensions are still ##### even with Manifest v3 and taking away webRequest
takes away power from powerful extensions such as uMatrix, NoScript, etc”.
This is a major concern. Firstly, before Manifest v3, extensions that declared the webRequest permission had permission to observe requests for all hosts. It has now changed. Developers must declare host permissions for any host they want to monitor. It means that a rogue extension can’t feasibly log my entire browsing history and send it off to a third party server. Additionally, the modification of requests has also been moved into declarativeNetRequest and will be handled by the browser instead of the extension. EFF mentions that this will cripple “powerful” extensions but fail to add that malicious extensions being granted the same permissions have a immense amounts of power over the browser which is why the shift is towards declarative APIs.
Additionally, they mention content scripts. I’m not a huge fan of content scripts either. They run in the context of pages and have direct access to the DOM. Scripted renderers weaken site isolation and Manifest v3 makes almost no changes in this area. I don’t recommend you install extensions making use of content scripts, and I look forward to seeing more declarative APIs replace this access.
The EFF is at odds with MV3/declarativeNetRequest because it restricts the powers of their trusted extensions, and that’s a good thing, because it also means that malicious extensions also don’t have that kind of power.