If you read their full paper, they do technical analysis confirming findings in many cases. Many other researchers have done the same in the recent past.
Full paper also says that the unique URLs were later requested by crawlers, which confirms server-side collection.
What happens server-side is also confirmed by the palant.info article that shows a graphic provided by a major data broker that shows exactly how they mis-use data collected by extensions under false pretenses.
It's far from speculation when there's both technical evidence collected by researchers and direct evidence provided by the bad actors themselves.
It's the holidays and we're entering a weekend, so my default expectation from any business is no response until sometime next week.
If you could wait most of those 8 months to launch it, a few more days or a week likely won't make a difference.
Hope you can get things sorted soon, but be patient. As with any launch, there are always things to triple-check or to improve, so work on those if you want to keep busy.