Calling this a phishing mitigation is blatantly dishonest. Hiding the URL does nothing to stop phishing. UX improvements are great, and this is clearly a UX change designed to perform great on metrics Google cares about (like search traffic), but it is not anything resembling an attack mitigation.
Here are some things that actively mitigate phishing; many of them available in Chrome and actively used by many web properties (including Google's).
HttpOnly cookies (introduced in 2002!)
'secure' cookies
Content Security Policy
iframe sandboxing
input sanitization
isolating user input to low-privilege domains to protect unsecured user information
clear, identifiable URLs that increase the odds of users recognizing something wrong
two-factor authentication
What is an example of a phishing attack or XSS attack that would be stopped by this change? Is there at least an example of an attack that would be mitigated? I cannot for the life of me think of one.
Not one of the things you list helps phishing. I think maybe you are confusing phishing with other types of attacks.
Phishing is when an evil website tricks you into typing your bank password into it. HttpOnly cookies (as an example) are not going to do anything to prevent an evil website from looking like your bank's website.
Here are some things that actively mitigate phishing; many of them available in Chrome and actively used by many web properties (including Google's).
HttpOnly cookies (introduced in 2002!)
'secure' cookies
Content Security Policy
iframe sandboxing
input sanitization
isolating user input to low-privilege domains to protect unsecured user information
clear, identifiable URLs that increase the odds of users recognizing something wrong
two-factor authentication
What is an example of a phishing attack or XSS attack that would be stopped by this change? Is there at least an example of an attack that would be mitigated? I cannot for the life of me think of one.