From a Google engineer:
Depending on the extension you install, the extension might need legitimate access to various things to carry out its purpose. For example, if you see the message that the extension can have access to "your private data on all websites," this usually means that the extension is inserting content scripts into a page. Content scripts are used to make changes to what's being shown on a page. An extension for blocking ads is one such example since it needs to modify the execution of the page to not show ads. In this case, this ability to modify page content brings you a desired functionality. However, this same ability means the extension can have the ability to read information submitted on the page, which includes private data. This is not to say it's going to do this or do something malicious with it, but it *can* if the extension author is ill-intentioned and built his extension specifically for this purpose. This is why we always advise users to only download extensions from authors they know and trust (they have great reviews, have a lot of users, good reputation, etc).
This is no different from the risk you take when installing software in general and the same risks exist in other browsers when installing extensions/add-ons. That said, we have done and are still doing many things to try and mitigate potential damage that can be caused by malicious extensions. For example, we can enforce granular access to permissions (having access to some sites instead of all sites), we isolate extension code from web page code to reduce the ability for malicious web pages to infect good extensions, and more. You can read more about security and Chrome extensions in a very informative blog post listed in my references.