I remember thinking why don't they just do a WebEx with us to see what's going on. Nope, never. They just wanted us to ship logs to them and try random crap until they closed the ticket. Total waste of time and money.
Not if they do it right. Lots of companies did that with us, some required it as part of their contract. We'd give them the ability to control or not, and what we were sharing with them. Way more efficient than sending up a tarball full of /var/log. Id argue THAT was a security and liability issue.
Redhats customers run across the world and many legal jurisdictions, which have their own set of complications.
The flip side of the coin that I have seen is that some customers will rely heavily on redhat to do basic admin work that a system admin would/should be doing. Effectively taking a job with legal liability for work provided.
The sosreport Tarball makes an active effort not to gather private information. If you believe it does, please let support know as they are interested in improving this.