Isn’t piling on browser extensions generally considered bad practice as it increases your attack surface (bad for security) and makes you more easy to fingerprint (bad for privacy)?

I read this very often, but I’m not really sure if it’s strictly true.
An addon only increases your attack surface if it processes data sent by the website, and it only makes you easier to fingerprint if it does something to the website or it’s observable environment.

A few examples:

• Simple Tab Groups does not change anything a website could see, and other than title and favicon does not really process other parts of the website
• Bitwarden: might be affected on both fronts because of autofill, and it reads the webpage to see if it contains a login form (to offer to save your new password or new account)
• disable page visibility api, disable console clear: I think these are invisible to the website
• firefox multi account containers: only adds fearures to the browser
• libredirect: unless redirection of embeds is enabled, should not be visible
• generic QR code maker addon: does not do anything with the website. Does a context menu entry for selected text, but that shouldn’t be visible by websites
• redirect amp to html: invisible, redirection happens before loading the new page
• tab session manager: same as STG above
• new tab page addons
• temporary containers
• undo close tab
• web archives

So my point is that there’s a plenty of addons that don’t need to do anything with the website itself to be useful, and even if it does something with it, it does not necessarily make you more fingerprintable.

That being said, it’s also important to mention that an addon could do something you don’t know about, so without asking others or yourself reading it’s code (it’s human readable, download the XPI file from the addon store and unzip it (it is a zip file actually)).