You're assuming the goal of Project Zero is to take an interest or willingness to protect vulnerable hosts. That is not the goal of Google Project Zero. The goal is to find vulnerabilities that impact the stock price of Alphabet competitors, usually Microsoft or Apple.
The software of their competitors is used by billions of people, thus finding and reporting vulns in that software is going to help billions of people by fixing that problem.
If that was actually the case then, just by the numbers, wouldn't they spend all their time fuzzing Android or GSuit or their own codebases as well? Or at least release the reports of them with the same viritol?
It's like Toyota buying a Ford and finding out that if you rear end it, it will explode. So Toyota publishes their finding. Then weeks later a 3rd party finds the prius accelerates by itself.
Maybe if Toyota wasn't so busy trying to screw Ford they would have known about their own glaring issues.
We can't tell whether or not Google lives in a glass house because they keep it proprietary. Therefore we need to assume it's no better than what they bully others for. Nobody handed Google a crown and made them ruler of everyone's code. They just kinda built themselves a castle and started cutting off heads.
