My point of #1 is that the author is mainly talking about security but uses the word "privacy". Improving security does not improve privacy, given my definition that privacy assumes good security. I think it's important to disentangle these two concepts because you can have one without the other. We should of course be advocating for both, but each requires their own solutions.
Case in point: the GDPR is a privacy law that mandates, among many other things, that the systems involved are conceived, built and maintained with proper security considerations.
