I actually find that somewhat reassuring, similarly to a Google employee criticising the security practices of a Google-operated certificate authority in public[1]: it demonstrates that the team responsible for instituting security policies in the interest of users still has some autonomy.

[1] e.g. https://bugzilla.mozilla.org/show_bug.cgi?id=1709223#c19