Sorry I can’t buy the additional 3rd party potential vulnerabilities argument. It just sounds so unfair to Librewolf team.
Who would assure that arkenfox won’t change security.certerrors.mitm.priming.endpoint from https://mitmdetection.services.mozilla.com/ to their own server, or change DoH to their own DNS server in an update?
Who would assure that the next 31/71 virus detection of Mullvad won’t be false positive any more?
You are exposing to the codes of 2 entities (Chromium and Brave) with Brave and 3 entities (Firefox, Tor and Mullvad) with Mullvad. It’s not different to Librewolf’s. The only difference is the “bigger” organizations of the others. If PG’s criteria for browsers include “Must come from a big team” then I would 100% agree of rejecting Librewolf because of that criterion.
Currently the only valid reason to reject Librewolf is the update criteria. All of other reasons are just bias nitpicking and ignoring the same things with other browsers, and not in the criteria at all.