1. Android and iOS sandbox applications. But if I grant permission, a mobile app can read files from my photos, or documents, SD card on Android, etc. folders. I can even ship a mobile Safari extension on iOS.
2. Desktop platforms do not universally sandbox applications (though they are trying). You can install a desktop app that steals all the data in your home directory, including your entire browsing history, with no permission dialog whatsoever.
3. That aside, browsers sandbox extensions just like mobile applications. One extension cannot access another extension's data.
4. Furthermore, by default, a browser extension can only access content from its own origin. It is in fact sandboxed from the rest of the sites you visit.
5. If the user grants permission, a browser extension may access other sites.
So in short, browser extensions are in fact sandboxed.
And your idea of mobile apps accessing data is entirely dependent on the qualifier "when they shouldn't", which, arguably if given permission, they should so it's a moot point.
The shared data on ios and android isnt all that important. Sure, you might not want a random app to read your photos, but it's not getting access to your bank session token. And these days you can grant apps to only specific photos.
The vast majority of extensions require the ability to read and modify the dom on any website to do anything. This is so much worse than the average app permissions.
2. Desktop platforms do not universally sandbox applications (though they are trying). You can install a desktop app that steals all the data in your home directory, including your entire browsing history, with no permission dialog whatsoever.
3. That aside, browsers sandbox extensions just like mobile applications. One extension cannot access another extension's data.
4. Furthermore, by default, a browser extension can only access content from its own origin. It is in fact sandboxed from the rest of the sites you visit.
5. If the user grants permission, a browser extension may access other sites.
So in short, browser extensions are in fact sandboxed.
And your idea of mobile apps accessing data is entirely dependent on the qualifier "when they shouldn't", which, arguably if given permission, they should so it's a moot point.