At this point, legitimate companies buying credential dumps from cybercriminals might be the biggest spenders on cybercrime forums. The number of separate services offering "personas" to go buy these dumps is getting out of hand.

I understand wanting to protect your customers but at what point are they further funding and encouraging the infostealer actors?

Is this any better than the free "have I been pwned?" My 1password warns me if my account has been listed in sites like the above. Does this google feature simply do the same thing or does it do more?

It would have to know all your addresses too, right? That doesn't sound very safe.

Google was promoting this feature in Google One through 55+ targeted ads like native ads in Apple News (official advertising like Penny Hoarder or non-official like Fortune), and it worked: grandparents were asking about "dark web" and information leaking, with genuine concern. Perhaps Google discovered that this was their most compelling hook, even if it didn't lead to conversions, and getting it in the news again may elevate Google services in the consciousness of boomers for free.