I don't know the actual details here, so I can't really comment.
Re your second point though: I think it's much more important that people understand where they really stand in terms of what is private, even if that isn't everything they'd like- as opposed to discovering later that something they thought was private could be accessed via a workaround.
That's like saying "Well, since it's possible for someone to social engineer the password of my server, I might as well remove the firewall, switch to telnet and chmod everything to 777."
It's important to tell people to know where they really stand in terms of privacy, and then continue to do your best to protect it. The fact is that privacy - like security - is not a binary. It's something that you protect with various overlapping strategies that reduce the risk as much as possible. Few people expect Facebook to provide them with total protection of their data; instead, they expected them to do the best they can. And that's what Facebook has done for the past five years; they went far beyond anyone else in terms of protecting privacy, and even after they were miles ahead of the competition, they continued to improve it. Now they've destroyed all of that progress in the scope of a few days.
It's a question of how difficult the workaround is. In this case, I think it maybe had to do with showing mutual friends in search results- not showing them made the results very difficult to pick through, and showing them was a privacy flaw. This isn't a very effective protection. I believe that the basic idea of protecting privacy as far as possible has not changed, but of course I'm going to say that :)
Re your second point though: I think it's much more important that people understand where they really stand in terms of what is private, even if that isn't everything they'd like- as opposed to discovering later that something they thought was private could be accessed via a workaround.