PrivacyGuides has also just recently started to recommend Redlib.
I think this article by Mullvad explains this well.
They need to make money somehow, and regardless, all the crypto stuff is actually turned off by default, so criticizing Brave for this makes little sense to me.
According to their privacy policy, they are using both AdMob and Facebook trackers on their other apps, so that may happen to Raivo as well at some point.
Proton Pass has already been audited by Cure53.
I don’t know what filters you have specifically enabled, but I have all EasyList Annoyances and uBlock Annoyance lists enabled and they work fine. There may sometimes be something that these don’t get, but that happens quite rarely.
Ublock Origin has annoyance filters that you can enable.
Since the vault is end-to-end encrypted, it shouldn’t matter where it is hosted, even if it is in the cloud. Here is what a security researcher and a password cracker Jeremy M. Gosney has said about this after the LastPass incident.
”Is the cloud the problem? No. The vast majority of issues LastPass has had have nothing to do with the fact that it is a cloud-based solution. Further, consider the fact that the threat model for a cloud-based password management solution should *start* with the vault being compromised. In fact, if password management is done correctly, I should be able to host my vault anywhere, even openly downloadable (open S3 bucket, unauthenticated HTTPS, etc.) without concern. I wouldn’t do that, of course, but the point is the vault should be just that – a vault, not a lockbox.”