I’ve heard that the proxy services themselves are selling user prompts and responses which they can view as man-in-the-middle… so the extent of actual exfiltration is orders of magnitude larger but less focused than what they detected.