>This too is not ideal. It gets saved in the browser history, and if the url is sent by message (email or IM), the provider may visit it.

Sure. POST for extra security.

> Not the subdomain leak part, that's just how Rachel noticed, but the non advertised tracking from an appliance chosen to be connected privately.

If this were a completely local product, like say a USB stick. Sure. but this is a Network Attached Storage product, and the user explicitly chose to use network functions (domains, http), it's not the same category of issue.