The AI Privacy Threat Isn't Your Chat History — It's the Extension Reading Every Page You Open
You disabled ChatGPT's memory feature. You run Llama locally for anything sensitive. You read the privacy policy before installing a new AI tool. And right now, a browser extension you installed eight months ago for "instant AI summaries" is reading the DOM of every page you load — your bank's transaction history, your HR portal, your team's internal wiki — and it has been the entire time.
You didn't consent to that, at least not knowingly. You clicked "Add to Chrome" on a tool that promised to summarize articles, and in the process you granted it the single broadest permission a browser extension can hold: read and change all your data on all websites. That permission does not turn off when you're not actively using the sidebar. It runs on every page, every session, by default.
The privacy-conscious instinct is to scrutinize the AI tool you deliberately use. The actual exposure is the AI tool running silently in the background of tools you don't think about at all.
Why This Threat Doesn't Show Up on Your Radar
Threat modeling for AI privacy usually starts with a direct question: what have I typed into a chat box, and where did it go? That question is answerable. You can check your ChatGPT history, audit your Claude conversations, review what you fed into Perplexity last week.
Browser AI sidebar extensions — Sider, Monica, Merlin, Copilot in Edge, various "AI summarizer" and "AI writing assistant" extensions — don't fit that model, because you never explicitly submitted anything to them. They read the page for you, automatically, as part of the feature. There's no prompt to review, no chat log to audit, because the extension isn't waiting for you to ask it something. It's already looking.
That's the reframe: the question "what did I tell the AI" is the wrong question for this category of tool. The right question is "what pages did I have open while this extension was running," and for most people that answer is: everything. Email. Banking. Health portals. Internal company tools with client data, source code, or HR records in them.
What "Read and Change All Your Data on All Websites" Actually Means
When Chrome or Firefox shows you this permission during installation, it is not exaggerating for effect. It is the literal scope. An extension with this permission can:
- Read the full rendered DOM of any page you visit, including content loaded after login — your bank balance, your inbox contents, your CRM records
- Read form field values, including ones you've typed but not submitted
- Inject its own content or scripts into any page
- Run continuously in the background across every open tab, not just the one where you clicked the sidebar icon
Most AI browser extensions request this permission because their core feature — "summarize this page," "explain this," "ask AI about what I'm reading" — genuinely needs to read page content to work. The permission isn't necessarily malicious. But it is maximal, and it is granted once, at install, with no per-site or per-session re-confirmation.
Compare this to a cloud AI chat tool. When you paste text into ChatGPT, you make an active decision about that specific piece of content, in that moment. A browser sidebar extension with all-sites access makes that decision for you, continuously, for every page you will ever open until you uninstall it.
A Concrete Walkthrough: One Tab, One Extension, One Afternoon
Picture an ordinary workday. You have six tabs open: your bank, your webmail, your company's internal wiki, a client's shared Google Doc, a news article you're reading on lunch, and a code review in GitHub. You installed an AI sidebar extension in March because it was useful for summarizing long articles. It has "on all sites" access, because that was the only installation option offered.
The extension isn't "attacking" any of these tabs in the sense of exfiltrating data on a timer. But its content script is present on all six, and its background service worker has the technical capability to read DOM content from any of them the moment its trigger conditions fire — which, depending on the extension, might be "user clicks the icon," or might be "page finishes loading," or might be something the privacy policy describes only in general terms like "to provide and improve our services."
The point isn't that this specific extension is definitely misbehaving. The point is that you have no way to verify which of those two behaviors is actually happening, because the permission model doesn't distinguish between "reads the page only when you click" and "reads the page always" at the level Chrome shows you. The install-time permission is identical either way. Your only real signal is the extension's own privacy policy and reputation — which is precisely the kind of unverifiable trust relationship you've spent effort eliminating from your AI chat usage, now reintroduced through a different door.
This Compounds With Work Accounts, Not Just Personal Ones
Privacy audits tend to focus on personal exposure — your email, your bank, your health records. Browser AI sidebar extensions installed on a work laptop or a BYOD-enrolled personal machine carry a second, often larger exposure: your employer's data.
If you have an AI sidebar extension with all-sites access installed in the same browser profile you use for work, it has the same DOM-reading capability on your company's internal tools as it does on your personal accounts — your CRM, your internal ticketing system, a client's confidential document shared via a web viewer, source code viewed in a browser-based IDE. Most corporate acceptable-use policies and a fair number of client confidentiality agreements do not contemplate "a third-party AI extension has standing read access to this system," because the person who installed the extension was thinking about summarizing news articles, not about the compliance surface of their entire browser session.
This is worth treating as a separate line item in the audit, because the fix is different: for a personal device, uninstalling or restricting the extension is a complete solution. For a work device, the more durable fix is to keep AI browser extensions — even ones you trust and use deliberately — out of the browser profile where you're logged into employer or client systems entirely, using a separate profile or browser for each.
The Free-Extension Business Model Problem
Most AI browser sidebar tools are free or freemium. That's worth sitting with, because DOM-reading browser extensions are exactly the category of software that has a long, documented history of monetizing the exact access this permission grants — bundling browsing data, page content, and behavioral signals for sale to data brokers or ad networks, separate from and in addition to whatever the AI feature itself does with the content.
This isn't a hypothetical. Browser extension data harvesting has been documented repeatedly across categories — VPN extensions, shopping assistants, "productivity" tools — because the permission model makes it trivial and the free-tier business model makes it necessary. An AI feature bolted onto that same permission scope inherits the same incentive structure: broad, standing access to monetize, plus now a plausible product reason ("we need to read the page to summarize it") that makes the access look legitimate instead of extractive.
You would not paste your bank statement into a random free web tool with no clear business model. A browser sidebar extension with all-sites access is functionally doing that for you, on every page, by default.
The Audit: Finding What Has This Access Right Now
This takes about fifteen minutes and covers the browsers most people actually use.
Chrome / Edge / Brave (Chromium-based): Go to chrome://extensions. For each extension, click "Details" and check the "Site access" section. Look specifically for "On all sites." Cross-reference against extensions with AI, summarize, writing-assistant, or chatbot functionality — these are the ones most likely to hold this permission for a legitimate-sounding reason.
Firefox: Go to about:addons, select each extension, and check "Permissions." Look for "Access your data for all websites."
Safari: Safari's per-site extension permissions are visible under Safari > Settings > Extensions — Safari's model is somewhat more restrictive by default, but verify rather than assume.
For each AI extension you find with all-sites access, ask three questions: Do I actually use this regularly? Does its core feature require reading every page, or could it work with per-site activation instead? Is there a version of this feature I already get from a tool I use deliberately?
If the extension fails the first question, remove it — that's dormant standing access with zero benefit. If it fails the second, most browsers let you restrict site access to "on click" instead of "on all sites," which converts the extension from ambient surveillance into a tool you activate, similar in spirit to pasting text into a chat box yourself.
Rebuilding Around Deliberate Access Instead of Ambient Access
The fix isn't to swear off AI browser tools — it's to move from standing, ambient access back to access you grant per action, the same principle that makes a local LLM or a deliberate chat query more auditable than a background extension.
For the documents and files that AI browser extensions most often summarize — PDFs, reports, contracts you have open in a tab — keep the source copies in storage the extension never touches in the first place. Tresorit provides end-to-end encrypted, zero-knowledge cloud storage; files stay encrypted client-side, so even opening a document from Tresorit in a new tab doesn't hand a DOM-reading extension a plaintext copy sitting in browser memory the way a Google Drive preview would. Store the sensitive version there and only pull a working copy out when you actually need it.
Affiliate Disclosure: This article may contain affiliate links. If you make a purchase through these links, we may earn a small commission at no extra cost to you. We only recommend products we genuinely believe in. This helps support our work and allows us to continue providing free content.
For the actual use case most people install these sidebar extensions for — "summarize this, explain that, help me research this page" — a tool you open deliberately does the same job without standing access. Perplexity answers a specific query when you ask it, using the content you choose to share in that moment, rather than reading every tab in the background waiting to be useful. It is not a zero-knowledge or fully private tool, but architecturally it behaves like the chat-box model you already trust more than the ambient-sidebar model — a request you make, not a permission you granted once and forgot about.
The Fifteen-Minute Fix Beats the Thirty-Tab Habit
You cannot audit your way out of this by remembering to be careful. The entire point of "on all sites" access is that it doesn't require you to do anything for the extension to see the page — which means the fix has to happen at the permission level, not the behavior level.
Do the extension audit above once. Convert every AI extension you keep from "on all sites" to "on click" where the option exists. Move the documents you most often summarize into encrypted storage the extension can't reach in plaintext. Then, for genuinely one-off research tasks, reach for a tool you open on purpose instead of one that's already open on every page.
The threat you've been managing — what you type into a chat box — was never the biggest one. The biggest one was reading over your shoulder the entire time, on every page, since the day you clicked "Add to Chrome."
Last updated: 2026-07-03
Stay one step ahead. Subscribe to PrivateAI's weekly digest — practical privacy moves, tool reviews, and threat model updates, delivered to your inbox. No tracking pixels, no third-party analytics.