Nope. Only NEW Steam accounts are private by default. This is a common misconception. This is very easy to prove, too - if your account was Public before then, like mine was, it still is, like mine is. You can go check if yours was Public before - Click on your username, then Profile > Edit Profile > Privacy. I’ve never adjusted my Friends List settings, and that is Public too.
And if they knew about the .vdf file (which is a failure obscure bit of knowledge), they definitely knew the vast majority of accounts were not private. I assume that they just wanted to avoid having to ask those people who did have it private to give them info they weren’t already sharing.
Again, this is what Graham said. And it’s false. Because they didn’t give the “full context”. They gave a partial context, looking very specifically at one person posting, and then apparently calling it racist because a later person who spread it (but not the original guy) did so in a racist way.
Graham is again wrong that they gave the “full context”, because they ignored most of Tim Sweeney’s replies, and selected only the ones which supported the thrust of the argument and that of Vogel. Now, I doubt that was intentional, but it does show they didn’t exactly look into it deeply and it does mean you cannot honestly claim “full context”. If he’d “some context” I’d agree, but it wasn’t full.
By the time RPS article came out, they had done, as much as was possible, but as I said, they only selectively covered it. As people have pointed out, literally no-one is able to know what Epic have actually done with the information, and further, now they’ve taken it, they can potentially do whatever they like.
We can debunk certain things - for example, scanning processes isn’t likely to be a big issue. They seem to be doing it in a particularly clunky way but a lot of software has to do it, including Discord.
But on the other hand, taking the .vdf files is not normal, and not reasonable, and Tim Sweeney himself more or less admitted that, and Steam have confirmed it. Further they took the .vdf files for people who didn’t consent as well as those who did, and they took them before consent was even asked (again Sweeney has admitted this was wrong - but this is what happens when you get caught with your hand in the cookie jar, and even he didn’t claim they’d been intending to fix it before they got caught).
There’s no good excuse for not using the API, there are only bad ones.