Isn’t it a different thing for a googler to run some code deliberately, presumably having some idea where it came from and what it does VS some code being run on their computer without their consent or knowledge of what it is.
I don't fool myself into believing that when I install some package from CRAN, or whatever your least-favorite insecure software repository is, that I know exactly what it is or does. So to me it seems the same risk either way. Anyway I am only trying to address the question raised in the article about why Google security did not flip out over this report in the way the author expected them to.
Seems weird to group those two as the same thing