The number of degrees of separation between average Facebook's engineer work and "direct harm to a human being" seems like it'd be orders of magnitudes higher than when working on exploits for companies with the client list like that of NSO's.
But number of affected people and the scale of impact was also on another order of magnitude.
Moreover, that tool depended on private companies that operated without any oversight. It’s a very different situation for exploits (although I agree that they often end up in the wrong hands)
NSO is probably one of the worst offenders when it comes to screening their clients. This raises ethical issues. It was a factor for me and many of my former colleagues.
However, for every abusive operation that gets exposed, there are many legitimate ones conducted by democratic governments. I think we are far from a mass-surveillance scenario, and those exploits are not as widely available as the media might portray.
The number of degrees of separation between average Facebook's engineer work and "direct harm to a human being" seems like it'd be orders of magnitudes higher than when working on exploits for companies with the client list like that of NSO's.
Or do you not think about it in those terms?