Can a malicious add-on access internet history and other sensitive info in Chrome/Firefox?

Modern browser extensions use the WebExtensions API, which enforces a permission model; basically, addons can only have the access that you grant them (you can't reject individual permissions though; if you are uncomfortable with some, you can't install the addon).

Regarding your specific questions:

• The browser history can only be requested if the history permission is granted.
• The cookies permission only works along with a host permission which will define which cookies can be accessed. Host permissions are required for all of the sensitive actions (such as injecting JavaScript into a page, reading the contents of a page, etc).

Malicious extensions can of course execute arbitrary JavaScript in an isolated context, so something like a malicious cryptominer is certainly feasible.

For access which doesn't require explicit permissions, see my related question: Danger of browser extension without any permissions?.

how does chrome/firefox make sure addons are safe?

They inspect them before publishing, and ban those found abusing its rights. But this ban can take from days to weeks.

how much access can addons have?

Addons can make anything you can, and more. They can access any server, read any cookie, alter any data, even encrypted by HTTPS, and send any data anywhere. They have to ask your permission when you install, but once you gave permission, for example, to read data on all websites, the addon can read data on all websites you visit.

should I still worry about addons?

Yes, you should. If you use an addon that was abandoned and the owner sold it to someone else, chances are pretty high that the new owner will do something nasty.

What you do? Don't install extensions unless they are from reputable sources, don't need lots and lots of permissions, and are really needed. Installing everything you think is cool will end up compromising your security.