So there’s a proposal in place to require websites to get specific authorisation from the user before the APIs will be injected. And since injecting an API to allow the website to request access would defeat the point, it uses window.postMessage:
Dapps MUST request the web3 API by sending a message using window.postMessage API. This message MUST be sent with a payload object containing a type property with a value of “WEB3_API_REQUEST” and an optional id property corresponding to an identifier of a specific wallet provider, such as “METAMASK”.
If the plugin is installed it will prompt the user for access and if granted inject the APIs into the DOM. If the plugin isn’t installed or if the user refuses access, the website simply receives no response.