Probably true, but it still stings that this dubious piece of software (speaking as a former iTerm2 user still holding a grudge) had been spraying my passwords and random terminal activity all over the internet in the form of unencrypted DNS requests for who knows how long, deliberately, due to mindless opt-out featuritis on the part of the developer. In my mind this is one of the clearest violations of privacy and information security I've been directly subjected to, because the developer had some gee-whiz-neato idea of highlighting URLs in a terminal and making them clickable.

It pains me to think people are still exposing themselves to this class of risk because of whatever iTerm2's latest and greatest idea is.

I think it's very reasonable to point at the development model and go, "I think this is bad and specifically the cause for security vulnerabilities". If you want to make that your position (I am sure it is already, and I don't think it is particularly controversial) that is completely fine. But there's a difference between holding that and your actual comment. Like, this was 100% unintentional, and people literally introduce malicious or undesirable features in their software all the time. Maybe we should save the tarring and feathering for that, and come up with a more measured take for stuff like this?