I logged an Information Leak bug to Chromium.

Chrome autofills your credentials on sites even with “Manage passwords” toggled “off”, “Auto Sign-in” toggled “off”, and “Autofill settings” toggled “off”. The problem is that users would reasonably expect turning off “Manage passwords” and “Autofill settings” to prevent the browser from dumping your credentials into visited sites.

They responded quickly, and said it’s been an open issue (turns out since April 2017), and that it’s a problem — saying “I agree that it is not obvious from how the settings are labelled”. Yet the initial bug from last year has the status “Won’t Fix”.

Here’s the latest bug filing: https://bugs.chromium.org/p/chromium/issues/detail?id=822465

From the original April bug, it’s clear that the dev team is treating users’ privacy as a theoretical exercise (https://bugs.chromium.org/p/chromium/issues/detail?id=707887) with zero sense of urgency.

Cool, cool.

Update: there’s movement on the issue now (if you click the above links), after over a year of it being in limbo. Yay!