[judge2020]

I say this sarcastically - I don't think anything about Brave's security ops is flawed or even misconfigured [now], but Google and Mozilla have a lot more resources than Brave does dedicated to security and auditing of things like CI servers and access controls.

And the password sync thing was related to the server that runs sync - it's E2EE, but Brave controls the update process and could very well deploy a malicious update that exfiltrates sync data or leaves it open to attacks.

That's why my point is about where you place your trust - if you're not up to the task of building your own browser (or at least auditing and building chromium yourself) and running your own sync software, you have to trust someone; oftentimes this means giving up privacy (Google) or giving up security (Again, choosing Brave isn't really giving up the security of your sync data, you're just now trusting a company that might not have the same security procedures and amount of resources dedicated to audits).