Web devs: please, PLEASE, learn the difference between History.pushState() and History.replaceState(). It's the latter you want. Please do not spam my browser history just because I have interacted with your app; it's rude.
I get this issue on YouTube every time (well, other way). On mobile, go to front page, search, hit a search result. Go back and you're on the front page...
If Google can't get it right (or don't care to) I think it's a lost battle.
Well, the whole API is bad and the name is wrong. It has nothing to do with history, because you can ever only manipulate the top entries. You don't get an array of objects or simply some kind of list of URLs/ strings, you have to know the specific API to do head of stack manipulation basically.
And no, this has nothing to do with security. The browser could easily filter the list for same origin even with the list/ array approach. People just need to invent things that could've been just another data structure perhaps with some kind of Compare And Swap wrapper for concurrency.
If Google can't get it right (or don't care to) I think it's a lost battle.