First, as a general update to this thread:
Shockingly I stand by everything I've said previously. I'm actually upset because that means maybe I haven't learned anything new, but it also means Tesla hasn't done anything since this thread was created. Maybe I'll redirect some of my upset towards them.
However, Tesla
did implement two factor authentication. In full disclosure, I don't know how they have it set up. This is absolutely a move in the right direction, but doesn't necessarily help for what's been outlined in this thread.
If the two-factor auth is a one-time authentication for all the same permissions as these services had access to before, it doesn't help at all. Alternatively, if using two-factor auth means you can't use third-party services, then people may just not use two-factor auth. It's positive progress, just maybe not on this particular topic.
I want to highlight this statement of yours,
"Tesla already tracks what we do every day with our car. Our phones track where we go and how we use them. Our credit cards track where we go and how we spend our money. I could keep going. This data is all clearly already monetized."
This is absolutely true, but I don't view that as a reason to give my information to everyone else. I treat
these as necessities (credits cards are nearly essential these days, I need a Tesla account to use my car at Superchargers, and the phone is all sorts of almost-essential as well). I'm limited in my options with those - either I find an alternative, or accept and hope they're being responsible enough on an ongoing basis.
However, with other parties, my use of their services is a heck of a lot less essential and I restrict it wherever possible. The less hands it's in, the better. The best detailed profiles come from amalgamating info from multiple sources - the less leaky sources, the less known you are.
---
So, what should you be concerned about, that's what you're asking. I can't answer that much more satisfactorily than I've already replied (to you and many other posts in this thread - there's some good discussion way back there somewhere).
I'm not comfortable giving a third party the virtual key to my car, which can be silently copied virtually. I see that not as fear mongering, but prudence.
Think of it like a physical key. Instead of something like TeslaFi or Stats, Camalaio's Data Service. You give my a copy of your key, and in exchange for some money, I install a tracker on your car. I routinely go to the car, enter it, and write down values from the tracker I installed, and mail you some graphs. When you one day no longer want Camalaio's Data Service, I
promise to not use the key but I don't give it back to you.
Would that be a comfortable arrangement? Probably not. This Camalaio dude shouldn't need full access to your car at all times. And trusting him forever with the key? What if one of his friends or neighbours is a bit of a carjacker and knows Camalaio has all these keys? For all I know Camalaio keeps these all in a shed in his front yard! Risky business. Except... instead of a physical key and some dude in your town, this is a virtual key and can be used by anyone anywhere in the world.
That's the main point. The access level is too high, and what's being asked for is too much. What you can worry about is a bit unlimited, because there are nearly no limits to the access being given.
I'd be way, way happier if the access wasn't all-or-nothing. That's the main problem, and is something only Tesla can solve. They need to separate car data (e.g. battery level) from personal data (e.g. location), and from further actions (e.g. unlocking the car). That's what I mean by it being all-or-nothing right now.
Fear mongering or prudence. We probably won't agree on that one honestly, but I hope you (and anyone else reading) has either learned something or enjoyed the conversation.