This issue is simply not getting the press it deserves:
https://www.cbsnews.com/news/ftc-avast-browsing-data-privacy/
By definition, your AV [antivirus] needs to not only track every browser request, it needs to track every executable invoked while the AV is running. Any AV worth its salt would aggregate all this information, at least for the purpose of addressing new issues ASAP.
The fact that this information is stored by Avast does not trouble me; however, that it was sold to whoever came up with the cash is most disquieting. There’s no shortage of bad actors out there, and the data trove sold by Avast is quite clearly going to be re-sold if it hasn’t been already.
Naturally, this story will have legs: if one AV outfit was doing it, chances are most if not all are doing it too. I guess we all have to read the EULA quite carefully when choosing an AV solution; going without strikes me as self-destructive behavior.