It would be scary if someone found a flaw in their API or data that exposed who went where from where everyday. It may not be stored that way but people who work at secure locations aren't allowed to bring in cell phones or workout watches but they still bring them to the parking lot showing who works where. If a flaw like this is discovered it would obviously be bad.
Would be good to read what steps Strava uses to anonymize this data prior or shortly following upload.
I'm also hoping they put some logic to prevent a single device trace from showing up on the heatmap regardless of frequency, and that 2 devices would need to converge within a radius for there to be a trace, but that might be wishful thinking.