If I had to guess I’d say that their other project, Sponserblock, got a little bit more popular than they were expecting and this is just to help alleviate server costs. Most of the API endpoints don’t require any auth at all (the single one that does accepts a random UUID), so any checks must be locally done (maybe system time?). The extension and server back-end are licensed under GPLv3 and AGPL respectively and are also entirely self-hostable, so the code is out there to verify if you wish
Arch does tend to keep packages as close to upstream as possible, which can be both a good and bad thing. Sway not binding to
graphical-session.target
by default is a little strange for example. Other distros also save a first-time user a great deal of configuration for things they probably don’t care about as well. Going through Fedora’s install and finding out that disk encryption and SELinux were configured OOTB was very nice to see personally. On the other hand Arch’s installation (w/o archinstall) has you choosing a bootloader, audio server, display manager, etc. Nothing arduous and I like it, but definitely not for everyoneThis is all eliminated by spinoffs of course, but even there users have the option to run random scripts/AUR packages without vetting them. Also doesn’t help that the most popular Arch-based distro for a while (Manjaro) was pretty flaky and generally incompatible with the AUR (despite saying otherwise), leading to many people saying “that’s just Arch” and swearing off the parent project as well