Where's the line on this kind of thing? If I type my CC info into a text file using VS Code should I expect Microsoft to add the CC info to my Microsoft account? What about just typing my CC info into any field when using Windows?
Edit:
> How is this evil? There is literally zero negative outcomes from this.
I like to think of every online account as a liability, because any one of them can be compromised and cause me a bunch of headaches. The "level" of headache depends on how much information each service has about me. What gives Google the right to expose me to more risk in this way?
This one is different, you logged into Chrome with your Google account and stored the data of your credit card to the same google account.
If you type your cc info into vscode with your msft account logged in and a sync option enabled then you also shouldn't be surprised if you found it into your msft account.
Because in no way should payment product y be able to see, store, access, or otherwise use google product x's sensitive stored information without explicit user consent
In storing card data in product x, the assumption of the user would be that that product is storing that card data for future autofill purposes in product x
Discovering that this data has somehow been turned into an entire financial account on product y without consent should enrage any reasonable user of product x
It seems like what happened is Chrome used a special backend for storing credit card info associated with your Google account, and this Google Payment product now literally just became the interface that let's you manage your credit card information that was already associated with your entire Google account across all Google products.
I think if there was "leakage" it happened some point earlier than this: the user thought they were storing an credit autocomplete in Chrome but actually they were storing credit card info associated generically with their Google account, and eg was already linked to Play Store for purchases. The fact that the spot where you go to manage the "Google account associated credit card info" is accounts.google.com or payments.google.com seems pretty irrelevant here.
It isn't for you, me, or Google to determine whether or not there are potential negative outcomes coming from the unexpected use of very sensitive data such as CC #s, or what amount of risk is acceptable. That sort of assessment can only realistically be done by whoever's data it is.
That Google appears to be so cavalier about this is a serious, but unsurprising, thing. I don't think I'd call it "evil", though, so much as "abusive".
> Surprised when he has an account on google’s payment product y
How is this evil? There is literally zero negative outcomes from this.