As you said, the xray vision is to protect the extensions from evil websites, not the other way around. So to get access to the actual object in the other, you don’t need to break the sandbox. Just ask nicely (and make sure you’re not becoming a confused deputy by trusting untrusted values)
To get access to the actual object, just overwrite navigator.wrappedJSObject instead.
See the how to on sharing data with page scripts
Thanks! I was actually aware of wrappedJSObject, but this only works with Firefox, right? I took the more complicated approach here so that it would be cross-browser compatible. That’s one of the big advantages of WebExtensions in the first place :-).