50k or 100k would be far more appropriate given the severity of this issue. But overall, this makes me think there's probably a lot more vulnerabilities in Arc that are undiscovered/unpatched.

Also, there's the whole notion of every URL you visit being sent to Firebase -- were these logged? Awful for a browser.