I can't vouch for the security of any place you've worked in the past 20 years.

But suffice to say, it's very common for Chrome extensions to be able to both modify any content on websites you view and read data you enter into them. Both adware and spyware is prolific on the Chrome Web Store, and it's the number one infection vector I see.

Controlling extensions is downright basic competency for network security. With regards to Chrome, I currently operate an outright block, though obviously we can whitelist extensions as necessary. (One thing Chrome does particularly well is their ADMX templates: It's easy to blacklist and whitelist extensions, and install them compulsorily for users as well.)

Considering that I've spent 15 of the last of those 20 years working at cybersecurity companies, I can say with some degree of assuredness that your level of control over browser extensions goes far beyond the typical work environment, and that goes doubly so for companies based in silicon valley. Do you really think that all those engineers at Google/FB/Apple/etc can't install browser extensions?