Why does it matter if Apple themselves don’t link the WebKit docs? It’s literally their project and seems to meet their requirements.

There’s a lot of things in the requirements like funding that Apple cannot verify. I think you’re being too binary in this.

Some of it is very clearly intended to be a “show us you are at least considering these security measures and have practices in place to minimize known issues”. Again, for the third time, it’s clearly NOT a list for ongoing perfect security, given that there are other items on the list that deal with further mitigation strategies.