Researchers try to find complicated and unrealistic scenarios to exploit vulnerabilities, but do not notice an elephant in the room. Auto-update is an equivalent of a backdoor. It allows the company to upload and run any code at any user's computer unnoticed. I won't be surprised if soon governments will demand that every application having more than N users must support auto-update.
That's an unfair argument to make though. I think in practical terms an auto update on a browser like chrome prevents an enormous amount of security breeches from truly malicious, criminal actors using public CVEs for their average users. And as much as i dislike google and their privacy invasions, chrome is likely one of the most secure browsers out there and a lot of people rightfully rely on chrome's security for very important things like their online banking.
I'd rather have my mom use auto-updating chrome than having to remind and reteach her how to update chrome manually once a week.
