If you read their full paper, they do technical analysis confirming findings in many cases. Many other researchers have done the same in the recent past.

Full paper also says that the unique URLs were later requested by crawlers, which confirms server-side collection.

What happens server-side is also confirmed by the palant.info article that shows a graphic provided by a major data broker that shows exactly how they mis-use data collected by extensions under false pretenses.

It's far from speculation when there's both technical evidence collected by researchers and direct evidence provided by the bad actors themselves.