Chrome exposes these files via a URL that you can fetch in javascript like you would any other file on a normal website. These local extension files usually contain code, styles or images that your browser needs to run the extensions.

Why is it not a CORS violation?

The browser needing access and a random website having access are quite different. Seems like a big ol' pile of vulns waiting to happen.