Permissions for Safari extensions seems to allow for only browsing history AND Webpage contents such as passwords and whatever else.
What if we only need to URL from certain domains?
Never reading the DOM should allow us to use a less-elevated permission that seems far more reasonable than allowing an extension to read my passwords on the DOM