diff --git a/src/background/index.js b/src/background/index.js
index 77d0958..7f980f6 100644
--- a/src/background/index.js
+++ b/src/background/index.js
@@ -330,18 +330,25 @@ async function handleRpc(method, params, origin) {
     return { error: { message: "Unsupported method: " + method } };
 }
 
-// Broadcast accountsChanged to all tabs
+// Broadcast accountsChanged to all tabs, respecting per-address permissions
 async function broadcastAccountsChanged() {
+    const s = await getState();
     const activeAddress = await getActiveAddress();
-    const accounts = activeAddress ? [activeAddress] : [];
+    const allowed = activeAddress ? s.allowedSites[activeAddress] || [] : [];
     tabsApi.query({}, (tabs) => {
         for (const tab of tabs) {
+            const origin = tab.url ? new URL(tab.url).origin : "";
+            const hostname = extractHostname(origin);
+            const hasPermission =
+                activeAddress &&
+                (allowed.includes(hostname) ||
+                    connectedSites[origin + ":" + activeAddress]);
             tabsApi.sendMessage(
                 tab.id,
                 {
                     type: "AUTISTMASK_EVENT",
                     eventName: "accountsChanged",
-                    data: accounts,
+                    data: hasPermission ? [activeAddress] : [],
                 },
                 () => {
                     // Ignore errors for tabs without content script