They store passwords and proxy everything at the same time they’re pushing OAuth, authenticators, passkeys, etc. for their own services. Everyone should have revolted when they bought Acompli and started doing this kind of thing.

I am so glad people are finally noticing and complaining about this. It's the same reason I won't use Spark or Superhuman. Those are neat services, but I can't abide storing the creds to perhaps the most security-sensitive service I use to a cloud provider. If they get hacked, then the attacker can access my email account, send phishing emails to my contacts, read and respond to password reset requests they make to other online services, etc. It would be disastrous.

No, I'll keep my credentials stored and used locally, thanks.

So like Cloudflare for email.

This seems like it would completely break any attempt to track access from unauthorized users or devices — any IT department using a backend other than Microsoft’s would need to pretend that all access from MS’s servers is safe.

And? Do you think Gmail is end to end encrypted?