I am one of the few people that inspects the source-code of extensions. It's easy to do, for Firefox for example, just right-click and save-as in the extensions site, then rename your extension to a .zip file and extract e.g:

    addon.xpi --> addon.zip
Then manually sift through the code looking for obvious malicious intent (or not so obvious malicious intent if the author is doing obfuscation). Note: obfuscation is a red flag! A simple scan for `https://` / 'http://' would usually yield interesting URLs where data is sent. I have actually spotted malicious addons in the wild this way and reported them to Mozilla. They were thankfully removed.

Note: Obfuscation is NOT the same as minification, and I don't mean minification when using the word obfuscation!

Maybe Mozilla could list on the Addon's page a list of domains/IP addresses where data is being sent. A Bit like a table of Nutritional Facts for food, but for extensions.

Perhaps even a need gap for 'little snitch for browser extensions' as a browser extension(Considering OS LS or similar usually gets whitelisted for 80/433 with browsers).

Is it even possible or would the sandbox prevent such an extension from functioning?

Yes, there is probably many extensions that make outside connections that don't add benefit to the user by doing so.

I wish I could block per-app connections on Linux like Little Snitch appear to allow on Mac.

Isn't Little Snitch essentially an interactive firewall? Rather than silently denying/allowing traffic, it needs the user's decision until a connection is white/black listed? Why would this not be allowed on Linux? (other than the app doesn't exist, yet)

https://github.com/evilsocket/opensnitch

However, if you allow everything to 80/443, the extensions would still be able to connect to their servers. Maybe the browsers should add the ability to allow/deny connections per extension.

https://github.com/gustavo-iniguez-goya/opensnitch/issues/21