Yes vulnerabilities are found -- nothing in this world is 100% perfect -- but in practice, running JavaScript in your browser is orders of magnitude safer than running binaries with access to your filesystem, hardware, and more.
Yes and the security mainly comes from the sandboxing, not from some hypothetical stores of websites making random judgments (also I also know that the reputation and blocking of website could depend on the presence of hostile JS, but given what is described here Google judgment seems to depends on quite "random" factors, that should also not be relied upon for JS content)
If you want to go toward security, unilaterally disabling parts of the web because of parts of third party legacy OS design is not the way to go, actually I don't see logically how the described approach of Google would yield any interesting true_malware_blocking / false_positive_blocking ratio. And you know what would be even safer? Shutting down the computer when the user attempts to browse the web. Browser vendor should let the OS antivirus take care of its own business -- if I want my complete computer to be taken care of by Google I can go buy a Chromebook...
I was saddened by the move of Edge to Chromium engine, but honestly while I used the old one from time to time for very specific purposes, I could not recommend it to anybody. I will still try to make people use FF by default, but I'm starting to think the position of the new Edge will be interesting and it could be good to try to switch some from Chrome to Edge.
Yes vulnerabilities are found -- nothing in this world is 100% perfect -- but in practice, running JavaScript in your browser is orders of magnitude safer than running binaries with access to your filesystem, hardware, and more.