As others already pointed out, the extension has the permission to do it, which you grant to the extension when you install it. Something along the lines of "access any data on bitcointalk.org", meaning as you browse bitcointalk.org with your browser (logged in or not) the extension would have access to anything your browser downloads from bitcointalk.org as you browse the site. And the extension makes use of this permission to inject bits of HTML into bitcointalk.org pages as you browse them. It does not collect your PMs though. You can verify that by looking at its source code, or you would have to trust the developers, which is what I was attempting to say in that post that Lucius quoted.

I don't know the full context that made you create this thread so let me point one other thing that is blatantly obvious but doesn't appear to be stated in that quote: the extension works only in the browser instance where it is installed and enabled. If you don't have it installed (as is the case for 99.9% users) then you don't have the above theoretical risk.