Reminds me of the chrome bug I filed years ago that is still unfixed. An extension with access to all browsing tabs can open a hidden iframe to a website that commonly would have mic and camera permission (like hangouts.google.com), and then inject its own JavaScript into that hidden iframe to capture mic or camera.

For this to work hangouts.google.com had to not include the HTTP header to block iframing but thankfully if you make up a URL the 404 page served on that domain does not include that http header.