Pretty much, yeah. The 'access all data on all websites' permission basically gives the extension access to injecting Javascript in all of your pages, which gives the extension full access to the DOM, and thus access to password and credit card fields.