The sync appears one-directional: Apple copies additions from Google but does NOT process deletions. A domain cleared by Google Safe Browsing remains permanently blocked in Safari with no automated removal path.
Reproduction: 1. Navigate to https://openvan.camp/ in Safari → full-screen red "Fraudulent Website Warning" 2. Same URL in Chrome/Firefox/Edge → no warning 3. Delete ~/Library/Caches/com.apple.Safari.SafeBrowsing/ → relaunch Safari → warning reappears immediately from fresh DB download
All external databases show clean: - Google Safe Browsing: clean - VirusTotal: 0/65 vendors - URLVoid: 0/35 engines - Spamhaus DBL, Gridinsoft, FortiGuard: removed/clean
Sysdiagnose confirms Safari connects to mask.icloud.com via OHTTP/QUIC every ~30 min (HTTP 200, ~450ms) yet Apple's list retains the entry on every refresh cycle. This is not a caching issue — it is a missing deletion mechanism in Apple's proprietary feed.
The original flag (March 2026) was caused by a third-party ad network (Adsterra) serving malicious redirects. It was removed on March 18. All remediations completed. websitereview.apple.com submitted March 18 — no response after 6 days.
WebKit Bugzilla: https://bugs.webkit.org/show_bug.cgi?id=310606 Apple Radar: rdar://173213501
Has anyone else hit this? Is there any known escalation path beyond websitereview.apple.com?