Does Google really take privacy seriously?
Google does take privacy seriously -- and in many respects, they are more conscious about their privacy practices than most other companies because they are an easy target. It is also assuring that they can fix vulnerabilities very quickly in most cases. That said, it is becoming very concerning that cross site scripting (XSS) attacks on Google services have become a common headline in the news recently. We only hear about the holes that are publicly disclosed -- but you can bet there are many others that go unreported and are abused without you or Google even knowing.
XSS is a technique that hackers use to inject code into a website that can expose things like your browser cookies to them. Stolen cookies can be used to hijack your browser session allowing attackers to look at personal data or, depending on the severity of the vulnerability, it may even allow them to gain complete access to your accounts.
Does this affect you? Yes, it can affect anyone -- all you have to do to be taken advantage of is visit a website. Even one that you normally trust can be dangerous because one line of malicious code that is invisible to the user (likely inserted by a hacker) can put all visitors to that site at risk without the owner even knowing.
Your data is not completely safe on Google until they implement an effective internal preemptive XSS discovery team, and Google related XSS attacks stop making headlines. Google needs to hire full time employees, who have a knack for discovering these vulnerabilities, to kill bugs before products are even released. Obviously the automated tools they are developing alone aren't foolproof.
I know XSS is far from limited to Google, but if they want to be known as your friendly neighborhood privacy protector, they have to do more than just talk about it. Perhaps even an anti-XSS feature that checks for suspicious URL patterns in the Google Toolbar would be a nice addition.
In the mean time, if you are worried about your privacy, download Firefox and the NoScript addon. It's the only sure-fire way to keep your information private for now.