[marchenko]

There's a big difference between leaving your DNA on a cup and storing it in an easily-queried database. To collect your DNA from a cup , an interested party has to have an a priori interest in you specifically. To get it from a database (or databank, if 23 and Me is retaining physical samples, as their terms indicate they might), the interested party just has to have an a posteriori interest in "people's DNA", and hoover yours (and by probabilistic inference, your relatives') up along with everyone else's.

In the US, the protections against insurance companies using your genetic data against you are about as deeply entrenched as the protections against letting ISPs sell your internet history, and subject to much more intensive lobbying. Other countries have no protections at all - Canada's current bill is strongly opposed by the Trudeau government. Remember, even though most of these genetic risk scores are incredibly weak predictors, it is only necessary for insurers to believe they improve their actuarial models slightly to have a huge effect on differential insurance costs.