>Part of the point is that likely this has zero privacy implications (except potentially disclosing to someone monitoring your traffic that you are using their browser).

It has zero implications if you trust DDG and good privacy is not based on blind trust. Keep in mind that you also need to trust the government under which DDG acts to not require them to disclose this data, trust the government to not put black boxes in the DDG data center, trust DDG's security apparatus against external state actors, trust any rogue DDG employee to not use this data and so on.

I agree, I still think it is relevant to treat actual privacy violations differently from engineering choices that might make privacy violations easier in the future.

My opinion is that DDG should have never made this choice in the first place, but as far as I am concerned this is at the level of an implementation detail that can be improved, not as if DDG was intentionally using user data in some non-private way.

The concern as I see it is that this issue and the initial DDG response to it shows a lack of understanding of technical privacy controls. What they are and why they matter so much. DDG's backend is not audited and so one wonders if that same lack of understanding applies to the backend as well. DDG cites privacy policies but, in my experience, the best policies are backed with strict technical controls as humans never follow policies perfectly on their own.