Worth noting: Requires "Access [to] your data for all websites"
On the add-on site, it fortunately does note why:
> Privacy: Markdown Here accesses and modifies web content when you activate it. It can, in theory, access other web content, but does not. It also makes no Internet requests whatsoever. Your data is modified when and where you choose, and does not leave your browser.
Is this a limitation of WebExtension APIs that necessitate this? Perhaps there is an opportunity for more granular WebExtension APIs.
This is essentially a limitation of the browser environment itself, not of WebExtensions. Allowing an extension to inject code into a web page gives that extension the ability to do anything that the page could do on its own, including exfiltrating data. I don't see any easy way to prevent this without severely limiting what the extension can do.
You could maaaaybe convince me to say something like: "all content stored in [textarea] blocks" or "input type=password" CSS-type scoping, but fundamentally, it wants to rewrite _your_ content on a page, but that requires it is allowed to view and modify _all_ content of the page.
On the add-on site, it fortunately does note why:
> Privacy: Markdown Here accesses and modifies web content when you activate it. It can, in theory, access other web content, but does not. It also makes no Internet requests whatsoever. Your data is modified when and where you choose, and does not leave your browser.
Is this a limitation of WebExtension APIs that necessitate this? Perhaps there is an opportunity for more granular WebExtension APIs.