YEP -- me too. I'm on v38.0.1, and use manual update yet Flash was disable today.
Should not be surprised, as 'phone-home' is never user configurable, whereas update is.
This kind of thing seeds the paranoia re "likelihood of nefarious activities".
Once a program is allowed to cross the outgoing firewall (on any port), the jig is up and you've given away the store. On that subject, the secure choice would be to run the browser on its own user-id and to not allow that id to access your %userprofile% - - This will create a read-only browser and you would never be able to upload files from %userprofile% :sigh: