Reading further, this API only works remotely for CSS via chrome.scripting.insertCSS. For JS, however, the chrome.scripting.executeScript JS needs to be packaged locally with the extension, as you said.

It seems the advanced method is to use chrome.userScripts, which allows for arbitrary script injection, but requires the user be in Dev Mode and have an extra flag enabled for permission. This API enables extensions like TamperMonkey.

Since the Claude extension doesn't seem to require this extra permission flag, I'm curious what method they're using in this case. Browser extensions are de facto visible-source, so it should be possible to figure out with a little review.