Worst case scenario, what can a Chrome extension do with "Your data on all websites" and "Your tabs and browsing activity"?
Send a list of all the websites I visit to the maker?
Yes
Capture data I input into forms? (like my personal data, passwords, etc.)
Yes
See how long I have been on a website, and which pages I have visited?
Yes
Access cookies?
Updated, See the following comment from Bryan Field for this one.
Bryan Field: Great answer, except for number 4. Cookies without the
httponly
flag can be accessed for sure, beyond that I don't know. I would add that it is likely that the extension could manually call, for example your Gmail page and get all your emails, even if you do not have Gmail open during the time the extension is opened. You need only to be logged in and it can call those pages. So even if thehttponly
cookies can not be directly viewed (number 4), it doesn't really matter, because the cookies can still be indirectly and effectively usedAccess other files on my computer? (I guess not, given the Sandbox environment, but I'm still wondering)
No – like you say the sandbox will prevent that.
Do anything worse?
Read (and send) data on all the pages you visit.
Some more details on why this is often needed, but not always is discussed in this question Why do Chrome extensions need access to 'all my data' and 'browsing activity'?
Google briefly explains the security model for extensions in the following blog post:
http://blog.chromium.org/2009/12/security-in-depth-extension-system.html
Only install extensions by trusted sources.