I had a quick read on what they do and it makes perfect sense.

Do you have a link to the document that makes perfect sense?

From this community.sophos.com/kb/en-u… I derive it's about lookups of domains against some blacklist. Given that these domains are themselves queried over DNS, there's little point to encrypt the blacklist lookups. Basic obfuscation against keyword matching could make sense.

This was the result I saw, which says it can contain URLs and file submissions, which does not make perfect sense unless there was some context I'm missing... community.sophos.com/kb/en-u…

Hmm I think that's not good.

Sending full URLs plaintext over the public internet? 😬I know Avast used to do it with a chrome extension, but we told them they need to stop that or they're out of the webstore... I think they agreed to start sending them over https.