It could be also that the sales person did this on his own initiative for a couple of extra points. It might not be standard practice, but we'll never know.
Your PII will be in their CRM and they will have access to their CRM. Literally all they need to do this is your name and linkedin. If you think sales people won't have access to names of potential leads then I am not sure what you think sales people do on outbound sales.
Even in an CRM there should be checks on who can access what PII and when. There is a difference between "you are assigned 100 leads for the duration of lead qualification" and "you can yourself pick out leads (and can get access to their PII) out of any of the thousands of possible leads".
I think your expectations of how a company handles Leads are unrealistic. A company just needs to keep your data safe. A sales person having access to Leads makes complete sense. A sales person being able to see if a lead has been chased makes sense. A sales person being able to find Leads to chase that they are best qualified to chase makes sense.
No it said not use that for marketing. And they didn't, the sales person said he would be the point of contact. They didn't market or try to sell him something in his message. He just send a request to be his contact.