TL;DR for anybody worried. systemd-tmpfiles --purge was too broad in scope (and has a confusing name) so now you must be more specific when using it to avoid accidentally deleting things.

Android has the same permissions, if a weird app asks for location you deny it. Its not common ime.

I really doubt anything escaped the browser, but websites can make nefarious connections, sure.

I’m not certain but I believe it has been the default in 22.10 and newer.

Canonical has been pushing their less portable Snap solution and moving away from traditional packages.

This means:

• They are the sole store host and decide what is allowed.
• The apps can be less secure or totally broken on other distros.
• The tooling to make snaps heavily incentivize only using Ubuntu as a base.

A dns blocker cannot do anything more than ublock. It is nice for other apps though.