All RES data (settings, user tags, some browsing history) is stored in your computer's browser. Data is not synced to a cloud service without you explicitly setting it up.
RES does not encrypt passwords stored in the Account Switcher.
Why does RES not encrypt passwords?RES must send your password to Reddit in plaintext, so passwords must be stored either as plaintext or in a way that RES can unencrypt it. Since RES is open source, anyone with a password encrypted by RES could look up and unencrypt the password on their own.
What can I do?RES stores some data about where you've visited recently on Reddit.com. This data is also stored while using RES incognito.
RES requires access to certain functions of your browser and access to some external websites. Would you like to know more, citizen?
Reddit Enhancement Suite does not check home to our own/managed servers. However, browsers will check their own extension servers to see if a new version of RES is available. No data about you is sent to the RES team nor is it stored.
You can use RES to load stylesheets from outside reddit.com. None are loaded by default.
The websites hosting these external stylesheets can collect some data about you: your IP address, what browser you're using, and that you're loading the stylesheet from reddit.com. These websites can also add tracking cookies to your browser. These are generally safe, but if you are concerned about being tracked, do not add stylesheets from websites you don't trust.
RES has some features to help maintain privacy, but by and large RES is not a privacy/security extension.
Any extension ever made technically "has access to your browsing history", because it is running in your browser and needs to be able to see what URL you're on so it knows what to do. RES doesn't do anything with this history, and doesn't record it. Furthermore, it doesn't access your "past history" at all.
RES needs "tabs" permission to open new tabs when you click links (e.g. keyboard commands that open a link in a new tab) -- this permission does NOT mean that RES can "see what's in your tabs"...
The image expandos that a lot of people love require RES to fetch the image (for some hosts) via their API eg imgur/DeviantArt. RES isn't "reading your history" -- it's adding URLs to your history to make those links purple.
RES requests Geolocation permission purely for the functionality to set nightmode to turn on and off based on local times. The code for this can be found here.
RES needs access to various websites (Chrome's message about "your data on..." is bogus) to do what it does. For example, hitting the imgur API to get data on an album so you can view it inline.
Another example is the feature where RES adds Youtube video lengths to the ends of posts where possible. To do this it has to be able to contact YT to retrieve this info (hence the warning about needing to access data on other sites). It doesn't care how many times you've watched Bieber, it just needs to retrieve the length of the video.
Be absolutely assured that RES does nothing malevolent with the permissions that you grant it. It has millions of users and works closely with reddit itself. (Not that it ever would), but even if a single line of malicious code were to enter RES, then it'd be detected in a flash by its huge userbase. If you're still unsure, RES is open source and you can inspect the code for yourself on github.
As far as other sites it needs access to, RES pulls info from: