I'm not sure honestly. I know for a fact browser extensions can access the file system purely from my experience with past extensions. I spent about 30 minutes skimming google and their developer docs. If this is wrong on my end please let me know :

• download any additional malware (add-ons are run within an isolated environment) : Downloading malware means the application needs permission to connect to its server, and needs write permission on the target machine. Examples of extensions with write permission : 3rd party session saving that restore your tabs, and any application that needs to store its state on your computer.
• search through your file system : This means read permission. An extension that comes to mind is download managers and extensions that communicate with other applications.

So, API examples :

https://developer.chrome.com/apps/fileSystem : File System endpoint. After reading through this it looks like you can access absolute paths on the target machine.
https://developer.chrome.com/apps/storage : Storage endpoint. Note that this is a lot different because you can only access your own directory in AppData.
https://developer.chrome.com/extensions/nativeMessaging : Native messaging. Even though after reading through it, it looke like that it might be only possible for the app to send messages to other apps that they programmed themselves.

But even without mentioning all of these, just purely including complete browser access is a massive security risk. Especially for people who use web wallets. Like bob said the extension can run any arbitrary code on any webpage, access any session-related data, display/modify any forms.. Basically a complete takeover over your browser experience.