I gave up this fight back when I realized Twitch Now requires this permission, and that there are no other good extensions to show your twitch feed. https://i.imgur.com/d92BWVW.png
It's basically "too good": an extension so convenient that I can't imagine living without it.
One idea is to install the extension, unpack it, change the permission manifest, then "install unpacked." I did this when I fixed the netflix auto-skip extension (always skips intros and outros; saved me hours of Star Trek outro pain): https://github.com/shawwn/netflix-skip
But I suspect that if you turn off those permissions for this extension, you'll just see it break, since it does need the ability to read data on the current site to then pull up twitter conversations about the site.
It's a shame that "examine current url" isn't a separate permission from "modify all data on the site" though. And that read/write permissions aren't separate. I'd be much more inclined to let extensions read all sites I visit.
I believe that the "tabs" permission does allow you to read the current URL without granting the ability to modify the page. It's also possible that some of the functionality could be built with the chrome.declarativeContent API or other alternatives. I'm sure there are features that would be impacted, and I doubt that most users would understand or care about the reduced permissions. But I would.
The main thing is that the extension would still have to be able to run its JS on any page to be able to show the interactive sidebar. Not sure there is a way around that, unless chrome decides to implement the sidebar api that firefox has (https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...), then the sidebar code doesn't have to run in the same context as the page.
For ampie you can just get its source, modify the manifest file, and build it yourself, no need to bother with repackaging: https://github.com/posobin/ampie
webNavigation together with tabs is needed to detect page URL changes correctly and update the sidebar (I don't remember exactly, but I think the main problem were pages that use history api to update the URL), storage is for localStorage to store extension settings, cookies to read/change cookies (limited to "https://ampie.s3.amazonaws.com/", "https://hacker-news.firebaseio.com/", "https://*.ampie.app/", to be able to get your auth token for ampie not to log in twice), unlimitedStorage was used previously because the caches of links stored were much more than the 5mb that is the default indexedDB limit. The caches are not used anymore, but I kept the permission so far because I am thinking of adding functionality for storing and visualizing your browsing history.
I am not sure what you would want to disable here.
If an extension includes content script that runs on all websites, then it can't avoid having the "read and change all your data on all websites": content script is JS code from an extension that runs on web pages, it can access the DOM and send requests. Ampie needs to run the content script on all pages to be able to add the sidebar. The other option is to run the content script on clicking the extension icon: as I mentioned elsewhere, while this approach might sound appealing in theory, the extension turns out to be much less useful this way as you simply forget/don't bother to click it and miss out on some interesting discussions.
FWIW, I'm sympathetic and I think your extension is fine.
But to play the pesky devil's advocate: you can make the extension consist entirely of a button on your Chrome bar, which you click on to see a popup containing the content that would normally be injected into the page itself. Thus, it wouldn't need any page permissions.
You can even show the number of tweets by displaying the number on the icon.
This is weird to me, I always listen to credits music. It gives me a calm moment to reflect on what I just watched. I don't like the modern trend of smushing everything together into "binges".
It's basically "too good": an extension so convenient that I can't imagine living without it.
One idea is to install the extension, unpack it, change the permission manifest, then "install unpacked." I did this when I fixed the netflix auto-skip extension (always skips intros and outros; saved me hours of Star Trek outro pain): https://github.com/shawwn/netflix-skip
But I suspect that if you turn off those permissions for this extension, you'll just see it break, since it does need the ability to read data on the current site to then pull up twitter conversations about the site.
It's a shame that "examine current url" isn't a separate permission from "modify all data on the site" though. And that read/write permissions aren't separate. I'd be much more inclined to let extensions read all sites I visit.