[s_q_b]

If homebrew is transmitting the packages you install across the internet, through Google's servers, and through homebrew's system, it is very possible that information could be swept up in a dragnet or stored on a server that could later be subpoenaed or searched with a warrant.

[semi-extrinsic]

The analytics issue aside, how can a package manager not transmit what packages you install across the internet? At some point it has to request the package(s) you're installing from somewhere on the internet.

[s_q_b]

Yeah, over TLS, and I generally presume that a simple request for a package won't be logged and recorded for posterity.