The browser signing extensions have a lot of eyes on them.

For example, I run a firewall that monitors every packet in and out, if any of the signing extensions I use were sending private keys out I'd know.

Other people also have their own ways of verifying, the codebas for these extensions are pretty small and not difficult to audit.