It’s a rootkit. When it runs it basically has complete access to your system. You’re at the mercy of the guys at Riot and pray that no one breaches their system.
IIRC Genshin Impact uses a similar system and a breach has already happened.
Not necessarily announce their existence. There’s some way for websites to communicate with extension like explained here. IMO, a sufficiently motivated actor can use this to add additional data point for fingerprinting.
Although most of the methods are only applicable if you’re using Chrome or Chromium based browsers and Firefox has disabled the methods commonly used to extract information from the browser.
Couple of things happened, this and this. I got soured and needed to find a better alternatives for my TOTP.