“On skippable ads, the button appears after 5 seconds into playback, as always.”
They aren’t hiding the skip-button, they are hiding the not-being-able-to skip-button.
I guess the advantage for Google is that users can’t know whether they’ll be able to skip, so they might watch more of the ad with expectations that they might be able to skip it.
Because they use the official apps/web-vault, they don’t need to implement most of the vault/encryption features, so at least the actual data should be fine.
Security audits are expensive, so I don’t expect it to happen, unless some sponsor pays for it.
They have processes for CVEs and it seems like there wasn’t any major security issues (altough I wouldn’t host a public instance for unknown users).