Not all, but most of the extensions (addons) require a set of permissions they must declare to the manifest file. The user is not notified by a security warning unless the extension is installed from a .crx file extension. In this later or other cases, a plugin that requires the user's permissions to run is a security threat.
Similar extensions requiring user's permissions exist in other browsers and it is really a critical issue. Each browser author deals with this problem differently. For example, Mozilla requires from such extensions to be signed and listed in the Addons Mozilla where the addons are regularly scanned for the presence of malware. That helps to prevent but does not protect totally the users.
Think of what a malicious JavaScript running with your user's permissions on the browser? May be the best scenario and example I can provide you is the notorious ZombieBrowserPack which is an opensource project (addon) developed first as a POC by Zoltan Balazs, and targets some of the most used browsers (Chrome, Firefox and IE). This plugin can be manipulated remotely to steal authentication credentials, and even bypass two-factor authentication mechanisms such as the ones implemented by Yahoo and Google. It can also hijack your Facebook account, or get your bank account credentials if you perform an online purchase. You can imagine such a plugin purposed to fulfill this or that feature and doing something nefarious behind in the background.