Turns out DDG has been using a favicon proxy since 2018 that effectively sends all websites users visit in the app to their servers. This was first reported a year ago and shrugged off (and closed) by them because they aren’t keeping any of those requests.
The issue sat dormant until it resurfaced yesterday when many other users stated their concern with the naive server-side implementation:
Yes, we already trust DDG, but only because we have to trust someone and others have proved to be untrustworthy. The issue isn’t about whether the user trusts DDG, it’s about minimizing the need for trust and maximizing the ability to verify privacy. Please consider reopening this issue. – svenssonaxel
It was suggested that this feature could/should be handled on-device and this comment on Hacker News points to Mozilla’s open source implementation that does just that. Finally, DDG’s CEO Gabriel Weinberg woke up (literally) and committed to changing the implementation.
All’s well that ends well?