So far the only solution I’ve found is to first inject the script into the background html page like I did:
background.js (excerpt)
var head = document.getElementsByTagName('head')[0];
var script = document.createElement('script');
script.type="text/javascript";
script.src = "https://apis.google.com/js/client.js?onload=callbackFunction";
head.appendChild(script);
And then to bypass the security warning, edit the manifest file (source):
manifest.json (excerpt)
"content_security_policy": "script-src 'self' https://apis.google.com; object-src 'self'"
However, note that bypassing the security only works for https links, and I also find it kind of hacky…any other solutions are welcome