I have added my banking site and github to extensions.webextensions.restrictedDomains, to ensure a rouge extension cannot steal sessions cookies from there. Unfortunately I have discovered that when I use a subdomain (gist.github.com), firefox will happily give the extensions access to my sessions cookies. This seems like an oversight. I believe it should restrict all subdomains on a site or at least allow wildcards, to properly lock down firefox, like *.github.com.
Would also be cool if you could explicitly blacklist and whitelist certain sites on a global or per extension basis. Especially since extensions now have 1000s of dependencies and are increasingly becoming an attack vector.