Does the tabs.create
API check the passed URL against malicious patterns of some sort?
I think there’s an integration between Firefox and a Google service that reports malicious URLs and shows a warning in that case. That’s done for all loaded URLs, not just the ones opened via the API.