1. If the browser is an operating system (which it is) then the browser itself is naturally "ring 0". An example of where this matters is the fact that Hacker News can't access your bank account, while addons can. It is hard to imagine anything more security-sensitive than your bank account.
2. "An add-on is restricted to user privileges or less" doesn't mean much for the Firefox addons that are affected by this—they run with full user privileges, which for many attacks (malware, spying, TLS interception, keylogging, etc.) is close enough to ring 0 as to make no difference.
There are security vulnerabilities, I don't think anyone in their right mind can deny that. Ultimately they're no different than being able to install software on your computer though. So, assuming reading your bank account were a user-level privilege, nothing prevents software you install from accessing it. As long as you can install software, you can install malicious software.
Theoretically, gpg could be capturing my key password. It couldn't capture other peoples' key passwords though.
1. If the browser is an operating system (which it is) then the browser itself is naturally "ring 0". An example of where this matters is the fact that Hacker News can't access your bank account, while addons can. It is hard to imagine anything more security-sensitive than your bank account.
2. "An add-on is restricted to user privileges or less" doesn't mean much for the Firefox addons that are affected by this—they run with full user privileges, which for many attacks (malware, spying, TLS interception, keylogging, etc.) is close enough to ring 0 as to make no difference.