Some of what is was their EULA (which is subject to change), and what they collected (which is subject to change with updates):

http://www.pcmag.com/article2/0,2817,2492599,00.asp

https://www.av-comparatives.org/wp-content/uploads/2014/04/a...

Given how they often MITM the connection they would be able to do things like reorder Google search results. This would be a huge revenue stream. Can also sell browsing data to advertisers to target specific people.

It's less prevailent and severe, but FOSS sometimes does: https://www.fsf.org/blogs/rms/ubuntu-spyware-what-to-do https://support.mozilla.org/en-US/kb/firefox-health-report-u...

There are probably lots of smaller examples; especially in Android.

There has been critics on the quietly updating of root certs by Microsoft.

https://news.ycombinator.com/item?id=9789819

But not everyone has access to all of your browsing history; especially across browsers and devices.

There's Microsoft, Google, and/or Apple have that. The profit models of these big companies create some disincentives on onselling this data.

AV providers are often on much smaller margins and the return from selling this data or building their own products on it is much higher.

I wouldn't be surprised if ISPs and VPNs also sold on data.