There are some ways to abuse solely the ability to stop an inflight web request, and being able to see what url it was for.

But, that did require a specific permission.

And the permission/ability to inject arbitrary JavaScript into any page is still there. As are other abilities that can be abused.

Meaning, the security argument for removing blocking onBeforeRequest was always a diversion. It is not nearly the highest risk thing in the api.