Sort:  

That's a great question, and I'll put it in the FAQ. The extension is just using your posting key, just like DTube does. Your posting key is saved in your browser storage and is never transmitted or accessible by any other sites. The posting key is transmitted using the official steem-js library to make a transaction to upload your post directly to the Steem block chain: https://github.com/steemit/steem-js. There is also an "Erase" button on the extension settings, so that if you are on a public computer, you can remove your posting key from that Chrome browser.

I have updated the Steemir faq and knowledge base with this question and answer. Thanks!
https://steemir.com/faq