The declarative API takes control away from the user. Currently you can block everything except the useful content. With the declarative API you can block only trackers A, B and C, but not C and D, because C and D weren't added to the global list of trackers. Moreover, you won't even know that C and D exist. With the declarative api, trackers get a trivial way to bypass adblocking: they can just change the domain name. This is the true goal of declarative API, not performance or security.
Why does the declarative API still allow to monitor your traffic? This sort of contradicts the security selling point, right? Because corporate users need to monitor activity of their employees: they install a corp extension that monitors traffic. They don't need to block anything, but they need the monitoring ability.
The argument that adblockers can route all your traffic thru their servers simply doesn't stand. If this was a concern, the browser could refine the permissions model: an extension can monitor and block any traffic, but it doesn't have access to the internet. Just like in Android you can uncheck the camera and mic permissions for any app. Problem solved.
I don't understand your point. It doesn't matter what the language is: JS, Lua, Python, C++ or even Rust. What matters is the API the extension has access to: tab URLs, web requests, storage, network, DOM read only or read write. Just like in mobile apps: it doesn't matter what language it's written in. It only matters what system apis it has access to.
The declarative API takes control away from the user. Currently you can block everything except the useful content. With the declarative API you can block only trackers A, B and C, but not C and D, because C and D weren't added to the global list of trackers. Moreover, you won't even know that C and D exist. With the declarative api, trackers get a trivial way to bypass adblocking: they can just change the domain name. This is the true goal of declarative API, not performance or security.
Why does the declarative API still allow to monitor your traffic? This sort of contradicts the security selling point, right? Because corporate users need to monitor activity of their employees: they install a corp extension that monitors traffic. They don't need to block anything, but they need the monitoring ability.
The argument that adblockers can route all your traffic thru their servers simply doesn't stand. If this was a concern, the browser could refine the permissions model: an extension can monitor and block any traffic, but it doesn't have access to the internet. Just like in Android you can uncheck the camera and mic permissions for any app. Problem solved.