This has to be because Chrome browser is submitting every URL you visit to google and then google running a crawler immediately, right?

Or has chrome browser become the crawler ?

Seeing the last four credit card digits in some of the results makes me think the browser is actually submitting the page content.

That could make sense. The pages don't always seem to be crawled

session token/cookie should expire to prevent user info from being viewable, whether or not google indexes it.

Some of the pages load and show full details even when you open them in an incognito window.

Really hoping for a reply from AMC but I don't expect one.

I also wondered if they might be test pages of some sort but they look legitimate.

If google caches it quickly, it'd be viewable for a long time after the tokens have expired?

No - the session cookie is private to the browser that originally placed the order, so the Google crawler should get a 403 as it doesn't have that cookie.

Delivery fee for food ordered inside the theater!

And I never would've found the bug if I didn't look it up to check if I understood the fee right!

Shady af, that probably mean some people have access to that data aswel if it is all in clear