I mean, is it really a conspiracy theory to want or believe that there are services (based in Europe) that don't hand over any and all user data to the USA government when asked? It's probably wrong to believe it to be the case, but just because it's wrong doesn't make it "conspiratorial".

It's quite hypocritical of Proton to claim that they protect against government surveillance when they do things like this though [0]. Their legal team has probably ensured they don't claim anything strictly false, but the implication and the reality are wildly different.

[0] https://freedom.press/digisec/blog/proton-mail-is-not-for-an...

I mean, you're still restricted to selling it to your own government, otherwise getting wired a cool $250k directly would raise a few red flags I think. And how many security researchers have a contact in some government-sponsored hacking company anyway? Do you really think that convincing them to buy a supposed zero-day exploit as a one-off would be easy?

Say you're in the US. I'm sure there are some CIA teams or whatever making use of Chromium exploits "off the record", but for any official business the government would just put pressure on Google directly to get what they want. So any project making use of your zero-day would be so secret that it'd be virtually impossible for you to even get in contact with anybody interested to buy it. Sure they might not try to "screw you", but it's sort of like going to the CIA and saying, "Hey would you be interested in buying this cache of illegal guns? Perhaps you could use it to arm Cuban rebels". What do you think they would respond to that?