Um, I assume the code for that pop-up is rendered into the page on the web server that produced the page, before being returned to the browser.

That is precisely the problem. If the notification were rendered as part of the page by the web server, no one would have issue with it (though it would likely be blocked by adblockers anyway).

It's the fact that the ISP is modifying traffic in-route, to inject something that was never intended to be part of the page, that is the problem.

I expect my ISP to be a neutral carrier of messages, not meddling and altering my mail to add whatever they happen to feel like adding today.

What?

I think the intent was to comment that extensions don't protect programs with embedded web views, like the steam store. I'd hope the steam store is using https though...

Only on checkout pages. For the rest of the storefront they actually redirect you from HTTPS to HTTP.

That's especially bad, because you can't actually see the origin or whether TLS is in use from the store's interface...