Yes, I'm sure I missed some things, I was trying to keep the list as non controversial as possible. Here are some specific responses.
1. Agreed, but at least they do prompt fairly early letting you turn it off.
2. I'm only looking at things in the release version of firefox. As I note elsewhere they treat nightly/beta users much worse. Longterm TLS over HTTPS is great for privacy, and they had to choose some provider, so I'm mostly fine with this.
3. This isn't their fault, the same applies to chrome. An extension is a third party piece of software you choose to install.
4. Again, a third party piece of software, not under their control. Further they are actively working to improve this situation and bring Tor onto mainline firefox!
Currently Tor is behind mainline Firefox in terms of security because it's a fork of Firefox ESR[1]. Pay attention to this part[2]:
> Unlike other release channels, ESRs are not updated with new features every six weeks. They are instead supported for more than a year, updating with major security or stability fixes.
- They have telemetry turned as the default
- They are experimenting with TLS over HTTPS and use beloved Cloudflare to handle every DNS request
- They are always in the headlines about some shady 'addon' or 'extension' been sold off and taken over by shady actors
- The TorBundle which is a fork of FF ESR is always in the headlines as been unsecure and way behind FF mainline release