Among the first projects that launched using our proxy patterns, I can recall CENTRE (USDC), which is an ERC20 that is currently holding almost 700M USD (proxy code here). Another coin using our proxies is Paxos (token here), for a value of about 250M USD, and they were audited by three different firms, Trail of Bits among them!
Decentraland has also used our upgrade patterns for the marketplace and districts, which were audited here. More recently, PoolTogether also uses our upgrade patterns, and was audited both by us and Quantstamp. I understand that AZTEC also uses our proxies, same as Unlock Protocol, and SablierHQ. I'm sure I'm missing other high profile projects, but these are the ones that come to mind now.
Also, as Andy pointed out, the proxies themselves have been audited by Nomic Labs.
Now, as Dan mentions, upgrades do introduce an additional complexity, but from what we've seen in most cases the benefits definitely surpass the hassles. Also, any "manipulaton of low-level Solidity" (I'm assuming Dan refers to assembly here) is isolated in the proxies themselves, and has been very carefully reviewed and audited, as well as widely used in production.
We have rolled out patterns such as unstructured storage or transparent proxies to ensure that it's extremely difficult to shoot yourself in the foot, unless you explicitly try to do so. And if you are using our CLI, we have embedded all necessary checks to make sure that an upgrade is safe - though we always strongly encourage to test them.
FWIW, I'm not a fan of the data separation pattern for upgrades. It produces very awkward code, it makes it impossible to reuse existing libraries, it's extremely easy to screw up just by forgetting an onlyOwner modifier in any of the functions in the storage contract, and is much more expensive in terms of gas as it requires an additional CALL for every read or write operation.
Last, I'm sad to see that the Trail of Bits post is still promoting FUD on our proxies, by touting an alleged vulnerability found on our implementation. The fact is that the post picks on an unreleased implementation of the proxies which was under development in our labs repository (a space dedicated to exchange ideas), and was not present in the released version. And not to mention that, if this had been an actual vulnerability, we would have appreciated a responsible disclosure privately first, instead of finding out via a public post.