Privacy-respecting computerized application search system

What is claimed is: 1. A method of operating an application search system, the method comprising: storing, in an application record data store, a plurality of application records corresponding respectively to a plurality of applications; storing, in a privacy record data store, for each application of at least some of the plurality of applications, a global privacy indicator specific to the application and applicable to all users; in response to receiving a first search query from a user device: identifying a plurality of search results responsive to the first search query from the application record data store, the plurality of search results corresponding to respective ones of the plurality of application records; for each search result of the plurality of search results, selectively determining a privacy indicator based on the privacy record data store; determining a search sensitivity value based on the privacy indicators; declaring the first search query as private based on the search sensitivity value; transmitting the plurality of search results to the user device; and in response to the first search query being declared as private, transmitting a search privacy indicator to the user device. 2. The method of claim 1 wherein the search privacy indicator instructs the user device to avoid storing the first search query in a search history on the user device. 3. The method of claim 1 further comprising maintaining user profiles for users based on search quires, wherein the user device generated the first search query based on input from a first user, and wherein a first user profile corresponding to the first user is not updated with the first search query in response to the first search query being declared as private. 4. The method of claim 1 further comprising selectively transmitting recommendations for featured applications along with the plurality of search results, wherein the transmitting the featured applications is avoided in response to the first search query being declared as private. 5. The method of claim 1 further comprising selectively transmitting targeted advertising along with the plurality of search results, wherein the transmitting the targeted advertising is avoided in response to the first search query being declared as private. 6. The method of claim 1 further comprising declaring the first search query private in response to a majority of the privacy indicators being indicative of expected privacy. 7. The method of claim 1 wherein the user device generated the first search query based on input from a first user, and wherein determining the privacy indicator for a first application of the at least some of the plurality of applications comprises: in response to presence of a user privacy indicator with respect to the first user and the first application, selecting the user privacy indicator; and in response to not being overridden by presence of the user privacy indicator, selecting the global privacy indicator specific to the first application. 8. The method of claim 1 wherein determining the privacy indicator with respect to a first application comprises: determining whether a first rule of a set of rules is applicable to the first application; and in response to the first rule being applicable to the first application, setting the privacy indicator according to the first rule. 9. The method of claim 8 wherein the first rule specifies that the privacy indicator for applications handling medical records be indicative of expected privacy. 10. The method of claim 9 wherein: the first rule is only applicable in certain geographical areas; and the method further comprises determining a position of the user device based on an Internet Protocol (IP) address of the user device. 11. The method of claim 1 , wherein: the at least some of the plurality of applications includes a first application; and the method further comprises generating the global privacy indicator for the first application based on an aggregation of user privacy indicators for the first application from a respective plurality of users. 12. The method of claim 1 , wherein: the at least some of the plurality of applications includes a first application; and the method further comprises: determining a set of applications that are similar to the first application; and generating the global privacy indicator for the first application based on the global privacy indicators of the set of applications. 13. The method of claim 12 , wherein the generating the global privacy indicator for the first application includes: determining a weight for each of the set of applications; and aggregating the global privacy indicators of the set of applications according to the weights. 14. A non-transitory computer-readable medium comprising instructions for execution on a processor, the instructions including: storing, in an application record data store, a plurality of application records corresponding respectively to a plurality of applications; storing, in a privacy record data store, for each application of at least some of the plurality of applications, a global privacy indicator specific to the application and applicable to all users; in response to receiving a first search query from a user device: identifying a plurality of search results responsive to the first search query from the application record data store, the plurality of search results corresponding to respective ones of the plurality of application records; for each search result of the plurality of search results, selectively determining a privacy indicator based on the privacy record data store; determining a search sensitivity value based on the privacy indicators; declaring the first search query as private based on the search sensitivity value; transmitting the plurality of search results to the user device; and in response to the first search query being declared as private, transmitting a search privacy indicator to the user device. 15. The non-transitory computer-readable medium of claim 14 wherein the search privacy indicator instructs the user device to avoid storing the first search query in a search history on the user device. 16. The non-transitory computer-readable medium of claim 14 wherein the instructions further include declaring the first search query private in response to a majority of the privacy indicators being indicative of expected privacy. 17. The non-transitory computer-readable medium of claim 14 wherein the user device generated the first search query based on input from a first user, and wherein the instructions for determining the privacy indicator for a first application of the at least some of the plurality of applications include: in response to presence of a user privacy indicator with respect to the first user and the first application, selecting the user privacy indicator; and in response to not being overridden by presence of the user privacy indicator, selecting the global privacy indicator specific to the first application. 18. The non-transitory computer-readable medium of claim 14 wherein the instructions for determining the privacy indicator with respect to a first application include: determining whether a first rule of a set of rules is applicable to the first application; and in response to the first rule being applicable to the first application, setting the privacy indicator according to the first rule. 19. The non-transitory computer-readable medium of claim 14 , wherein: the at leas