Hi Asaf,
In enterprise specifically, there are additional controls - you can forcefully withhold host permissions from an extension using policy, even if it requires them, and you can block access to specific permissions in the same way if you deem them to provide capabilities you are uncomfortable with.
As mentioned, the hard thing about providing controls for websites is that ultimately Chrome is a user agent that acts on behalf of the user. There are certainly use cases where a user may feel strongly about needing to use an extension on a banking site (password managers to fill logins is a great example).
These sorts of risks are definitely something we keep in mind, including with MV3. This is why we have restricted usage of
Remote Hosted Code to allow us to be sure we are reviewing an extension's full functionality, for example. Review in particular plays a big part in keeping the Chrome Web Store safe.
There are certainly risks with any features but the goal is to find a balance between power for users and safety at the same time :)