Hm, with all that talk about "zero knowledge architecture", I thought your vault file would be encrypted "in one piece", not just the passwords. If they have the URLs in clear text, that's not really zero knowledge, now is it? And why do they need the URLs anyway, when I can share the passwords just fine from my local PC? Statistics?!
Honestly, URLs are a potentially massive threat vector themselves.
Are the urls associated with individual users either directly or in a bucketed fashion? Seems like no to the former but the release leaves a lot to be desired.
