Between this and the HTTP server, it feels like Zoom of old that wrote the app was more willing to make the user experience vs user privacy trade off in favor of user experience.
Now you need to log in via Facebook with a separate browser window, and thanks to the HTTP change, you need to click on a browser dialog to launch a meeting from a link. So, they've either changed their policy to err more towards the privacy side and haven't found all the cases yet, or, more likely, still have the same attitude except when the tech world starts screaming at them.
I think it's more likely that the developers responsible for the HTTP server just didn't know much about local security, and Zoom doesn't have a good security review process (where actual infosec professionals are involved). That doesn't absolve them of responsibility, of course, but I really don't think it was malice or an intentional desire to ignore privacy concerns.
The “bug” where it would basically act like persistent malware, or the bug where it would act like persistent malware but also allow attackers remote access to your machine?
Now you need to log in via Facebook with a separate browser window, and thanks to the HTTP change, you need to click on a browser dialog to launch a meeting from a link. So, they've either changed their policy to err more towards the privacy side and haven't found all the cases yet, or, more likely, still have the same attitude except when the tech world starts screaming at them.