Remember that any wallet that runs in the browser mus trust the javascript engine in it.

What this means is any program that accesses the JS engine can access your keys.

So spyware, other plugins and addons all can read your private keys when you use them in your browser.

I wouldn't use a browser for anything serious TBH