Regarding the URLs containing the decryption key, of course a strong password is a big benefit here, but if you're not syncing history that could perhaps eliminate big tech from the loop (though you may also need to turn off all telemetry by your browser)
Using a browser without extensions installed would prevent against extension-based exfiltration.
The only way to prevent against a malicious server would probably be to build the frontend yourself and use it with the server (I haven't tried doing this)
Can you suggest some best practices those cypherpunks can take to mitigate the weaknesses and use it in a secure fashion?
Eg. I don't sync browser history and tend to turn off other cloud-supported features (including "logging into" my browser).