Yes, when someone writes an extension they create a manifest defining the required permissions. So when installing the extension, you explicitly have to agree with these permissions, especially ones like 'Access your data on all websites'.
Extensions are by default bound to the regular sandboxing rules of websites, unless they request more via the manifest, like LastPass does, and Chrome itself does implicitly.