Nothing to imagine, I am certain that there are 100s of thousands of such devices, and even if their design intent is not malicious they are typically security nightmares.
It doesn't matter if the intent doesn't seem malicious. And if they had nothing to hide, why weren't they upfront about the data collection? Remember when we thought having all those Facebook "Like" buttons on every website was harmless until we learned the level of which everybody was being tracked without consent?
This is China's typical playbook. Purposely collect data in seemingly harmless ways, or intentionally leave wide open security flaws that they can exploit in the future. And when they get caught it's an "oops sorry, we'll fix it right away".
The worst part is that there is no consequence for this behavior. Google, the EU, and/or FTC should be lodging fines.
