the comment_like database table in Lemmy also has a timestamp on it, “published” field, that discloses what time you voted. This reveals patterns of your Lemmy usage to other federated servers.

That’s a point that I think a lot of people are missing. Since a lot of this data is propagated, it’s not just their own instance admins they have to be concerned about, it’s any instance admin across the globe. There’s effectively zero cost to become an instance admin.

People are already using it for “good”, e.g. correlating upvotes and downvotes to identify accounts that are related to each other for the purposes of stamping out bot activity. The same method could also be used correlate ALT-accounts, say for example, a hard-right leaning account that has an alternate that interacts regularly in support of LGBTQ+ communities.

Okay so say a bad actor gets this information, and wants to use it maliciously. If they goto the users instance and attack the user in posts and comments, then they likely get banned. All this data links back to arbitrary usernames. I dont understand where the actual “threat” is in this data being semi-public.

It all depends upon how each individual uses the platform. You’d be surprised how many people inadvertently dox themselves over time.

Not all accounts tie back to arbitrary user names. There are plenty of people who know each other IRL or whose public identities are generally known. There’s a lot more potential eyeballs that can potentially build heatmaps of activity that could out “burner accounts”, for example, or otherwise make connections that aren’t readily apparent via the user interface. An overly- simplified example is I can easily tie your lemmy.world and lemm.ee accounts together without having to jump through any interface hoops. That may be of no concern to you but that doesn’t mean it’s of no concern to anybody else.