Fair! I took the original question in the vein of "Who is to blame?"

I feel like IC latitude isn't usually sufficient to say "Do we really want to require the identity our platform is based around?"

ICs (at least the people good enough to pass a Meta interview) have a choice of where they work though. I've quit a job where I had an ethical issue with what the company was doing with the code I wrote. When Company X does something naughty, the individual developers need to at least share blame with the managers making the decisions. After all, whose fingers are typing the code in and hitting submit?

I haven't worked for a company as large as Meta but we encounter these issues on smaller projects too: should the unique identifier for an account be their email? Or a UUID? If your business only uses SSO, should you use the [Google/Microsoft/whatever] ID as the identifier for that user on your database?

I personally wouldn't think that Facebook engineers would have had their hand forced on something like this.

Oculus engineers apparently did.

So I'd imagine the internal pressure over something closer to main products would be the same or worse.

Centralizing identity was (prior to the EU) a core moat for Facebook/Meta.