Content scripts can access Chrome APIs used by their parent extension by exchanging messages with the extension. They can also access the URL of an extension's file with chrome.runtime.getURL() and use the result the same as other URLs.
And also
Isolated worlds do not allow for content scripts, the extension, and the web page to access any variables or functions created by the others. This also gives content scripts the ability to enable functionality that should not be accessible to the web page.
And from the Security page
Content scripts are the only part of an extension that interacts directly with the web page. Because of this, hostile web pages may manipulate parts of the DOM the content script depends on, or exploit surprising web standard behavior, such as named items.
To interact with DOM of web pages, content scripts need to execute in the same renderer process as the web page. This makes content scripts vulnerable to leaking data via side channel attacks (e.g., Spectre), and to being taken over by an attacker if a malicious web page compromises the renderer process.
It seems like the current functionality is duly safe because the code doesn't rely on anything in the DOM for its functionality. But we might as well move to use the background scripts for most of the work just because that's the better longterm approach.
For further actions, you may consider blocking this person and/or reporting abuse
From the Content scripts link
And also
And from the Security page
It seems like the current functionality is duly safe because the code doesn't rely on anything in the DOM for its functionality. But we might as well move to use the background scripts for most of the work just because that's the better longterm approach.