Fair point. What would you accept as sufficient proof that their implementation is correct?
If your answer is "nothing" then I think you're being unreasonable. Firefox risks compromising security/privacy with _every_ new feature they implement, not just this one, and it's clear from [other comments][1] in this thread that this feature is just as important for the overall functionality of Firefox as any other feature would be.
