A perfect encapsulation of why these privacy complaints are next to worthless. You don't trust Microsoft with telemetry but your package.json pulls in 30 packages from completely random Internet strangers who published something that looked cool on GitHub.
There's no coherent threat model here. There are a million different ways to shoot yourself in the foot and compromise your codebase before we even begin to consider what Microsoft can do with the knowledge of what buttons you press sometimes.
Privacy and security are the same thing. When one is compromised so is the other. Any untrusted code that runs on your machine has the implicit capability of exfiltrating information that would rip apart your privacy.
My threat model is Microsoft selling bogus "productivity enhancement" features to customers, pushing duplicated features, collecting data on costumers to acquire business sensitive information, and using marketshare as leverage to strangle better products.
There's no coherent threat model here. There are a million different ways to shoot yourself in the foot and compromise your codebase before we even begin to consider what Microsoft can do with the knowledge of what buttons you press sometimes.