Something like a plugin is a fairly well defined thing and ideally should not need a lot of permissions. E.g. an ad blocker has a simple flow: occasionally update filters from a number of specified endpoints and then match and block web pages’ request urls against downloaded lists. Between update it should have zero web traffic and filter updates are expected to be from known whitelisted sources and asymmetrical in size: very few bytes sends and a lot received. If all of a sudden after an update your plugin wants to send a bunch of data to a new URL you know immediately something is fishy. With respect to granularity, in this case the plugin might not even need to know the entire URL but just the host/domain name - this makes it less attractive to adtech.