Pretty much everything pointed out in the OP only applies if your setup is configured to use a 3rd party identity, integration server and notary (trusted_key) server. So if you are selfhosting and you want to avoid using 3rd party servers, don’t use them!
Agreed that we should do better at presenting a max-privacy config preset and explaining how identity/integ/notary servers work to users (without making the UX unusable), but to throw away the whole project over this is throwing out the baby with the bathwater, imo.
I believe you are missing the point of the document. It is not so much where the leaks go, but that they happen when there is no consent or knowledge of the transfer.
Example: for Scalar, the issue says that Riot talks "too much" to it. The research is not about how many times Riot talks to it. It is that Riot talks to it before the user explicitly requested the service, and in a way that the user does not expect.
As we wrote in the paper: "Privacy protection is a mindset". It is not about fixing individual issues and then have new ones pop up because the underlying problem is not fixed. It is about having a process in place so it cannot happen again.
I'm curious what you are going to use instead. I know Matrix is not perfect (and I would wait for some of the planned features to land), but the most commonly selected options have a lot more problems.
Agreed that we should do better at presenting a max-privacy config preset and explaining how identity/integ/notary servers work to users (without making the UX unusable), but to throw away the whole project over this is throwing out the baby with the bathwater, imo.