You are correct, Firefox add-ons run with the same privileges as the application itself meaning that creating security barriers is far from trivial (neither is it trivial with Chrome extensions but in a more subtle way).
The closest thing to a secure data storage is the login manager - if the user defined a master password then the data stored there is encrypted. Any Firefox extension can read the file where the passwords are stored but decrypting it without knowing the master password is currently considered impossible. The weak point here is the password prompt:
- In order to make these password prompts less annoying the prompt only shows up once. After that any extension can access the data without triggering a new prompt.
- An extension can easily fake a master password prompt along with a plausible reason why it appears - social engineering attacks like this one rarely fail.
- But the extension doesn't even have to become active, it can simply wait for the password prompt to appear on its own. And then all it has to do is remembering the password that was entered.
And there is your dilemma: your extension can encrypt the data to make it harder to retrieve. However, you still need to query the user for the password which provides an attack point for malicious extensions - this password prompt has to happen out of the reach of the malicious extension. And even if you manage to do that, a malicious extension can in theory simply replace your extension by a manipulated copy that will send off data once the password is entered.
To sum up: no, you are in no position to fight malicious extensions. The minute a user installed a malicious extension you've lost already. Then your only option is running a service with administrator privileges that will manage the data, out of reach for Firefox extensions and Firefox itself. And even then you still need to figure out how to use that data in such a way that it cannot be intercepted by a malicious extension.
That's exactly the reason why all extensions on addons.mozilla.org have to go through a review process and installing unreviewed extensions is strongly discouraged.