I think the most realistic threat model right now is "subverted browser extension", which is effectively equivalent to internet-wide XSS. Luckily I've only been hit once, and with adware, but it's a risk.
It depends on whether or not your threat model includes threats likely to exploit this attack surface. I'm assuming this is why GP said that a browser extension isn't a threat model.
