I think the problem here is ultimately that people aren't doing proper threat modeling, and failing to include the government itself as a potential threat.
The most terrifying consulting contract I've ever been offered was a project to entirely replace cash in a country with a "blockchain" currency scheme. In addition to the requirements that both buyer and seller be 100% identified (likely by biometrics), there was also a requirement that every receipt be uploaded to a government run server, allowing exactly what was being bought to be tracked in detail in real-time. And of course, there was the requirement that it be possible to freeze accounts on demand.
I asked the client what country the project was ultimately going to be for, and they didn't really want to tell me (citing NDA's and what not). But I did get them to finally admit it wasn't a democracy, it was a dictatorship.
Pretty obvious that dictatorship wanted even more control over their citizens. Needless to say, I turned the contract down as being involved would be incredibly unethical.
But how much more ethical is it really to do the same type of project in a country that's supposed to be a democracy? I'm not so sure there's a clear difference, given how quickly privacy protections can be removed. Look at how census data was used to round up the Japanese in the USA during WWII for instance.