Maybe? I read that as more of a compatibility thing; if sites depend on information that Chrome exposes, then it's easy for them to have bugs on browsers that don't expose the exact same information (possibly by way of that information not even existing or making sense for a different implementation).
It supports JavaScript when used as a document, but when used as an "image" by a browser (IMG tag, CSS features) JavaScript and the loading of external resources are disabled.
It's not a "goal", it's a requirement (right there in the name!). Failing to comply to a government requirement subjects you to the associated penalties. They haven't said which requirement (we assume it's Russia Sanctions, of course), but their lawyers must have determined that the penalties would apply to them.
We are not aware of any such thing. As rebelwebmaster noted, when we know that we put it in our advisory.
Clearly the vulnerabilities are exploitable as demonstrated by Manfred Paul's winning Pwn2Own entry. The details were disclosed only to Zero Day Initiative staff (the contest organizers) and Mozilla. They have not been discovered on any website in the wild.
Those are in no way substitutes for each other -- you have to do both. People are not able to self-report accurate measurement data, and telemetry data can't tell you anything about what a person wants or why they do things.
How to know when unrelated domains are actually part of the same site is a hard problem. The Public-suffix List approach works okay-ish for cookies, but no one's really happy enough with it to trust for riskier features, and it doesn't help organizations with multiple names (apple.com and icloud.com, google.com and youtube.com, facebook.com and fb.com, etc). As that example list shows at least two major browser vendors have a vested interest in making this work while preserving security.
