(linked is a post w/ design spitballing in comment)
Particularly today, particularly in govt, there is no system safe enough not to be abused.
Even if a system is determined to be completely safe (not even going to start on that one... but for the sake of the discussion, let's posit that's a thing ; - )) it should only ever contain data explicitly ok'ed by the individual.
It doesn't matter how aggregate its immediate use.
We have now shown repeatedly that people can collect points intended for aggregate type data uses from multiple points/sources and often discover enough of a pattern to suss out individualized nodes - work out things like routes and likely living patterns based on places visited, etc.
No individual project can think up every other individual project's collected data and how it will intersect. No individual project can take the systemic view needed to make their putting people at these risks, without their express and fully understood intent, ok.