Is this really how password managers extensions work? They inject arbitrary javascript in every page you visit?

I would have naively thought that there'd be a better and safer API for it, considering that all browsers already have the infrastructure in place to handle login autocomplete.