In absolutely no way is it the plugin's decision where it should be allowed to run. It's great if it self-restricts and we should encourage that, but it's absurd in the extreme that any version of plugin support ever shipped without a way for users to override and restrict them further. Trusting the author of a thing to do what they claim to do is literal security insanity, and it always has been.
Chrome is sightly improving here, with click-to-activate extensions, but it's still pretty far from just giving me a frickin list field.