Yes, obviously is that possible, but the least that one should do then is looking up what's really happening. These are browser addons, the source code is available. But instead they are looking from the outside and calling alarm on something they don't understand. That's just poor behaviour and harmful in today's climate.
If you read their full paper, they do technical analysis confirming findings in many cases. Many other researchers have done the same in the recent past.
Full paper also says that the unique URLs were later requested by crawlers, which confirms server-side collection.
What happens server-side is also confirmed by the palant.info article that shows a graphic provided by a major data broker that shows exactly how they mis-use data collected by extensions under false pretenses.
It's far from speculation when there's both technical evidence collected by researchers and direct evidence provided by the bad actors themselves.
In particular, look for the diagram provided by a data vendor showing this in action.
As with safebrowsing and adblocking extensions, there is no need to send data to servers.
Many groups of smart people have developed client-side and/or privacy-preserving implementations that have worked with high effectiveness for decades.
Unfortunately, many other groups have also financial incentives to not care about user privacy, so they go the route shown in the research.