ofc they can when they have the permissions to do so, and in fact a lot of used extensions need access to websites to work properly. the mission behind is to eliminate malicious extensions. sandboxing pages is not all.
I have always said that extensions security is and has always been a complete joke. I haven't got a clue why browser developers have never tackled this problem. They did spend tons of time implementing browser sandboxes to protect against browser exploits, but seem to completely ignore the risk involved with malicious extensions. Why not implement some type of sandbox? Shame on Google!
