Oh yes because of the CSP. The CSP that allows forms that can change your settings... you could easily use the above bug to get some impact with an additional click on a form's submit button.
Admittedly, no full XSS anymore, but still dangerous and shows their lack of understanding and caring about security.
It's not the only place you can inject HTML and not every page has a CSP...
I don't get why they allow injection of irrelevant url parameters in the first place, it's the first rule of any input - remove what's not used and sanitize what is.
Regarding privacy: an obvious point is that you need to log in to use the search engine, so each search is tied to a unique user. Given that payment is involved, each user can be tied to a real-world identity.
E.g., XSS / HTML injection in summarizer or discuss document. Or their broken CSP which allows injecting forms to e.g., change settings.
They haven't fixed many reported issues in a while, and just to prove I'm not lying: https://kagi.com/discussdoc?url=https%3A%2F%2Fkagi.com%2Fcha...