[nyuszika7h]

No, this is not an Insider build issue. Blocking apps from sneakily changing the default browser without user content is one thing. But in Windows 11 RTM, they specifically went out of their way to make it a lot harder to change your default browser (or any default app), by forcing you do to it separately for each protocol and file extension. This led to non-malicious apps (e.g. Firefox) pursuing an alternative method to avoid users having to jump through hoops.

It's quite interesting that if it's such a big security vulnerability Microsoft hasn't patched it in all these years, but when suddenly a browser maker wants to act in the users' best interests it's a "critical security vulnerability" that must be patched immediately.

Yes, malware could theoretically abuse the same loophole. But they simply cannot lie to our faces and say this is being blocked only to prevent malware when they've intentionally made it harder for users themselves to change the setting as well.