I'm in the same boat as GP. Was invited early, loved the Arc UX far more than any other browser. I've recommended it to many people.

As many other comments have pointed out, this vulnerability is such a rookie mistake that I don't think I can trust them again after this without understanding what factors in their security/engineering culture led to it. Patching this one issue isn't enough.

>Them acknowledging the issue, then fixing it within 28 hours isn't good enough for you?

Are you not concerned with the yet to be discovered vulnerabilities?

What is concerning is the nature of the vulnerability and how it speaks to their security culture (which is obviously non-existent). This also revealed that their privacy policy is pure marketing fluff, completely disconnected from (and, in fact, counter to) their actions.

If you are comfortable using a browser (probably the software with the largest risk and attack surface on your device) that had an embarrassingly rudimentary vulnerability, made by a company who lie about the most important promise of their privacy policy, then I've got a calculator app for you.

They afaik never said that they ‘fixed’ the issue where they’re sending Google your every visited url.

Where did they acknowledge the issue? There’s nothing about this issue on their website or their Twitter feed.

They only acknowledged the issue after the write up from the researcher and claimed they thought they didn't need to include it in the release notes because it was a "backend fix".