Arc had a major vuln that scared me off it forever. Non-interactive remote code execution on any Arc users browser because of a firebase misconfiguration