Another small thing (big for me) Zoom does is register their app as the handler for `tel:` links every time you launch it, with seemingly no way to disable that. Companies that make themselves the default for something on your machine by force are not to be trusted.

I’m not surprised they start a web server from under their users, and that their response to the vulnerability was lacklustre.