I don't understand why you think the literal only way a security standard can be bad is if it has a literal security flaw. What Google is doing is bad for reasons other than security flaws, but it's no different from the other reasons why Google being involved in standards other than security standards is bad. It's just that in this case, their evil, user-hostile mechanism has absolutely no reasonable use case outside of security.

Yes, developing bad, user-hostile, open-ecosystem-hostile security standards should indeed bar you from security standards work even if the prison you've built for end users is maximally secure.