They weren’t.

Google runs it’s own scans against domains.

Yes.

I made the mistake of naming my emby instance https://emby.example.com/

On emby, if you don’t have a session cookie, it opens on an authentication page.

I’ve had Google label it as a mitm attack and get labeled malware three times. It gets fixed in a day or two upon review, but all major browsers block it during that time.