Does HA also go through my HA managed grocery shopping list to prevent me from buying unhealthy food ? It is not HA’s job to protect me from my own stupidity. If password security is deemed to be an issue, then such a feature can be added with an opt-out.
First bytes of the password hash along with IP (implicit, includes ISP and geolocation) and timestamp (implicit). This is more than enough to start building a user profile over time by a (potentially insecure) third party. You can build user profiles with much less than that. It is also a possibility for the third party to specifically build a list of IPs with a HA instance running behind them.
Oh come on. This is absolutely unrelated and you know that.