You’re the one speculating. You can analyze your network traffic to ensure it disabled, and as people have done and verified that it is disabled. Those are standard Google Ad trackers. Any app with ads has them, like Sync for Reddit did and Sync for Lemmy does.

For anyone coming across this, remove seemed to work. Purging clears the “remove” status it looks like and other instances won’t know you removed it and keep federating data to you. At least that’s what it seems like was happening

If there’s truly XSS vulnerabilities in lemmy that would be really bad. It’s one of the first things an attacker will try and it’s so easy to protect against.

Nope, I notice it reappear in the community list. If I just remove the community without purge though then the new content stops coming in, so I’ve just left them as removed without purging

Nope, previously yes but then unsubscribed and now trying to remove the community