The plugin does, unless things have changed since it left GitHub, request permission on a by-website basis in Firefox. I kind of doubt that most people are reviewing that (large) list, but that’s probably about as restrictive as one could reasonably do something like this.

The TLD of the source domain is probably more-or-less irrelevant as security. If someone were trying to set up malware, if they were willing to go through even the barest of efforts, they’d be more likely to do it through a VPN on a “legitimate-looking” domain; that’s one of the lowest-effort ways to increase the credibility of malware. As I recall, Jia Tan did that on GitHub.

EDIT: Hmm. That does kind of suggest that Firefox might benefit from a plugin model where plugins could only have permission to process the “current page” when a button is clicked, which I’d guess would likely work for Bypass Paywalls Clean, even if it’s not how it works today. Some plugins, like Behind The Overlay, could reasonably function in such a manner.