Security risks have their own standards and assessments. It’s not something to ignore just because the software brings something different of privacy to the upstream. GrapheneOS rejects Gecko-browsers because of their security risks although forks like Mull bring a lot of improvements in privacy (and actually security with JIT-disabled) comparing to chromium.
I did not just compare with AF alone.
Who would assure that the next 31/71 virus detection of Mullvad won’t be false positive any more?
Why is only Librewolf’s security is a concern while Mullvad showed the same security concern with that? I know about Mullvad’s response. My point here is if you bring security as an aspect to reject, please back it up with valid evidence because it’s a serious topic.
(And actually the non-autoupdateable of AF brings a contradiction to PG’s update criterion, and a “difference” of LW with FF+AF, but ok if no one wants to discuss between LW and AF, I won’t discuss it further).
Again, as I said above, if we count “bringing something different” as a hidden criterion, I won’t oppose it and there would be none of this discussion. But if you bring security concern as another half of equation, please back up that half clearly with security-based evidence, not via “its privacy trade-off aspect” because it’s a whole other serious field with plenty of resources and can easily raise many other people’s eyebrows.