Let me answer this, as I am the one, who brought up there being a distinction. In software/app development there in general a distinction in the understanding of these terms to help us develop appropriate solutions. The difference I mean goes appropriately along those lines: security describes the system integrity, whether a system can be manipulated to do something it isn’t supposed to do or – in the sense of data security – you can gain unauthorized access to functionality or data. In contrast to that data privacy concerns itself with the (mis-)conduct when handeling that you can authorised access to. A simple example is when someone hacks linkedIn and stealth the emails (which is a security breach) in comparison with a company asking for your email but then selling it illegitimately to a third party (a breach of your privacy).
This distinction is helpful as it shows the limits and where each one can be solved. While security is most of the time a coding/code quality and proper processes issue, data privacy is much more about a proper code of conduct with the data you gained access to – which is much harder to proof and enforce from a systematic perspective. (Which is why I am happy that the safenetwork takes on that challenge).
This particular instance – allowing of mixed-protocol-content – is clearly an edge case of overlapping security breaches and privacy data leaks. The system we’re designing here isn’t supposed to leak this information (this easily/without a bad actor) and thus such a problem breaches the integrity of the system itself. However, there isn’t any specific problem in the launcher that causes the launchers integrity to be compromised (and thus the title is misleading) but rather the way it is interacting with other parts of the system easily leads to a breach of the conduct expected for privacy relevant data within the system – it’s complicated.
Moving on from that, one important conversation I think we should start having – in a separate more appropriate topic – is how we want to grant “access” to apps within the safe network. Clearly the system of feature-based-access-control like iOS or Android do it, do not protect the privacy of the user as they completely regard what the apps actually do with that feature and when. I am dreaming of a system, where an app might ask for permissions to send messages and uses an API to do that, but where the user has complete control over when and to whom such messages are send (as an example) and the app itself will never know whether the message was send or whether it was just faked to it. Thus every app must be able to continue its work without expecting any of those features per se but in the idea of progressive web pages, provide them as further enhancements IF the user allows them to be used (which can be revoked entirely or even on a case by case bases).
But again, discussion for another day!