To expand: it’s not necessarily the collection that’s bad, but that leaks will happen. It’s not a matter of if, but when. So by putting limits on what can be collected, it mitigates some of the damage of a leak.
No, it really is that collecting the data is bad! GDPR is not about making breaches less harmful (though that is a benefit) - it is about preventing businesses from secretly gathering data about you, without your knowledge, and using it in ways that harm you.
One of the ways in which a business can harm you through abusing the data they have about you is certainly allowing it to leak out - but that is very much not the only intention of data protection law.
One of the ways in which a business can harm you through abusing the data they have about you is certainly allowing it to leak out - but that is very much not the only intention of data protection law.