Many thanks for the post. My apologies for getting this wrong! It does make more sense that bookmarklets would not have the privilege necessary. It'd be nice to give them an escape hatch, a way to escalate: `javascript+user:alert(1+1);` But this ultimately feels a lot less pernicious & more understandable (as an oversight) than I'd made things out to be.

I think you've got the eye on the ball here, on where the really important issues are shaking down. Diving back into smaller-grained topics, I find it interesting how much focus the web request interception has gotten versus so many other topics of the Web Extensions clamp-down happening. I couldn't find any discussion of the removal of eval/dynamic code, for example (daggers of irony: the same rule Apple uses to forbid v8 on iOS), & opened what I believe is the first issue against that. https://github.com/w3c/webextensions/issues/139 . The background tasks discussion is another important one: extensions no longer having most of the web platform accessible to them would be extremely limiting. Discussion here is active (if not totally hope inspiring), with proposals such as "Limited Event Pages" https://github.com/w3c/webextensions/issues/134 trying to move things into the right direction.