Also note, the GUID for Safari web extensions changes every launch of Safari to avoid website fingerprinting. If this is true, then how are you supposed to add a Safari extension to an Access-Control-Allow-Origin header? We'd like our extension to be able to POST data but it needs to be added to the header for CORS. We don't want to add safari-web-extension://* because that seems to be opening us up for cross-origin attacks from other extensions (unlikely, but you never know)

Disappointing, but the fix of switching from service_worker to the background script worked for our extension as well. Otherwise we get CORS issues. This seems like a bug in Safari with its service_worker implementation in Manifest v3.

After downloading a few other Safari extensions on macOS, it appears as though this is just how they work. Most of them have the macOS app just show you how to enabled the extension. Very weird experience! But okay.