In that scenario, not going opt-out is not a mistake. But going opt-in probably is a mistake, because the data will be useless, so it’s a waste of time to implement.
For those conscious of the security implications of that code even existing it all comes down to whether you trust Google, I would argue at this point you definitely shouldn't. Given that if you program in Go now and have code you really wouldn't just give Google then you probably need to run all your go executions in a VM without network access. This alone is going to be ardious enough from a security point of view to make other languages more interesting.
The entire idea is bad, the defaulting reduces the impact to many but the very existence of this telemetry is enough to take more significant security defence against the tool. Once you start doing that as an organisation Go becomes legacy with a strong desire to replace it. Its definitely a mistake to make it opt in, the data will be lower quality and it will still drive security concerns.
I'd say there are times when bad data is worse than no data.
Consider that the farther away you get from it, the parties involved are either unaware or unwilling to treat it as bad data, so they make make harmful decisions.
And opt-out or even mandatory data is without doubt quite bad to start with. And the interpretation of the data is rarely flawless or even pretends to be objective.
So if someone says that opt-in data is useless, I'd say that out-out data is just as useless.
And then we have to pretend that implementation, collection and analysis and then further actions would make it worthwhile.
Googler 1: Do we need this telemetry opt-out functionality? How many users are using it?
Googler 2: The data says 100% of users are opted in, so deprecating the obsolete and unpopular opt-out functionality is the evidence-based choice. Ignore the shrill demagogues on the mailing list saying otherwise, their anecdotes are meaningless.
The entire idea is bad, the defaulting reduces the impact to many but the very existence of this telemetry is enough to take more significant security defence against the tool. Once you start doing that as an organisation Go becomes legacy with a strong desire to replace it. Its definitely a mistake to make it opt in, the data will be lower quality and it will still drive security concerns.