I'm not an expert on it, but my understanding is if you c/p your private key into a web client, you risk 2 things:

1. The web client could be dodgy and actually send your nsec to their server

2. Even if the web client isn't dodgy, your nsec will be stored in a cookie and that can be leaked through exploits / undiscovered bugs.

The extension is meant to mitigate these things. You're still taking a small leap of faith in trusting the extension, but it's a lot better than trusting the bazillion different clients instead.