Because extensions can and often do contain stuff like images or JS bundles that they inject into a target page's DOM. Not allowing a tab's context to load files from the chrome-extension:// namespace would break a lot of things.
True, but you'd expect the same CORS rules to apply for extensions.
Only pages originating from an extension are by default able to load resources from said extension.
