They leaked one file in the sandbox that contained lots of internal proto files. The security team reviewed everything in the sandbox and thought nothing in it is sensitive and gave the green light; apparently the review didn't catch this in the sandbox.
I guess this is a failing of the security review process, and possibly also how the blaze build system worked so well that people forgot a step existed because it was too automated.
No it's not the same level of internal. There are internal proto files specific to Chromium and its API endpoints, and then there are internal proto files for google3. The latter can divulge secrets about Google's general server side architecture. The former only divulges secrets about server side components relevant to Chromium.
I guess this is a failing of the security review process, and possibly also how the blaze build system worked so well that people forgot a step existed because it was too automated.