Restrict APIs exposed from background page to content script

[glen3b]

Chrome security recommendations essentially say that, as a background page, one should distrust content scripts. We currently expose a fairly broad "fetch via background" API to our content scripts, which explicitly goes against their recommendations. We should evaluate the security implementations here and trim down our API as needed.

[Roguim]

Where's this change needed? I'd assume the notification badge bit is one of them.

[glen3b]

fetchApiJson in preload.js is the one which comes to mind. Anywhere we use Schoology API calls this function.