WebExtensions should be limited by Content-Security-Policies
As per the Mozilla documentation the views web extensions get access to are limited by CSP:
https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy
The default content security policy for extensions is: "script-src 'self'; object-src 'self';"