The problem with JS is that it's all on client side, and they have full access to source code, no matter how obfuscated it is.
Implementing HTTPS protocol would get rid of most security issues, because people can not snoop the traffic between browser and your server - which is extremely easy to do on public WiFi's for example.
I'm not security expert, but right now the only other solution I could think of is for Extension first request session based random encryption key from PHP application, then use that to encrypt/decrypt all data they pass to each other, so only extension and server could know the key at any given time.
However I believe that's pretty much how HTTPS works anyway, so it's almost easier to just implement that.