But what would the government compel them to do? If the method is secure, you don’t need to trust the server. And if they backdoor the open source client, people could notice it in an audit.
I think you’re right, perhaps I’ll do some more reading about it - It seems like it all relies on what the extension does, and if this extension is open source someone will notice as you said. Thanks for the clarity!
The method is secure until they change it. Their docs mention that generating a token is not anonymous, but using a token is. Considering they already know who generated it, it could be trivial for them (to change something server side where the validation occurs, if compelled) to link a particular search to a user.
You don’t get the token itself from the server though, you get something so you can make your own token for which the server doesn’t know who created it. So they can do whatever they like on the server, they can’t identify you.
