Chrome's extension APIs (at least in recent years) are known for its security and it is rare to see any major vulnerability. Derin Eryılmaz writes about finding a vulnerability in ChromeOS, the operating system built on top of Chrome. He found a way to escape the Chrome API sandbox through the filesystem APIs to inadvertently get XSS. https://0x44.xyz/blog/cve-2023-4369/