Comment by sophiebits

If you mean can another domain trick Chrome into letting it access those APIs… probably not; it seems it’s based on the browser extension architecture which is already somewhat hardened and I believe doesn’t even load the code for the extension if you’re not on a matching domain (though the typical protection goes the other way around — preventing extensions from accessing website data without permission).