Arc is used disproportionately by users who work in tech which tend to be paid quite well.

Am I wrong in thinking that with this vuln you could drain any financial accounts that they log into Arc with? Or, if they use Arc at work, that you now have a way to exfiltrate whatever data you want?

A browser vuln is about as bad as an OS vuln considering how much we use browsers for.