I think parent is referring to the idea that it's not a problem for a technically inclined person to when the extensions is filling out the password inspect the password HTML element and "see" it. Other options would include sniffing network traffic in your browser or replacing DNS with self hosted website with a form under the same domain to trick the extension to fill in a form on a website you control (since they match based on the typed in domain).