Nobody is forcing you to consume content on the internet, this is a laughable defense. You aren’t forced by society or capitalism to watch YouTube.

VM under TrueNAS

I agree with your second paragraph but I fail to see how the existing unused fields are somehow less dangerous or a “false equivalence” to a new unused DOB field which is significantly harder to use to deanonymize someone than their name, address, and phone number.

I’m not really sure you can argue birthdate is the thin edge of the spear when the standard Linux user database already had fields for location, email, phone number, and real name. None of which have been used for anything up to this point, and systemd-homed is not as widely used.

I probably should have said “may/could” sneak in, I forgot the xz incident didn’t quite make it to Debian (but would have had it not been caught)

I would say you are more than likely fine, malicious code does occasionally sneak into Debian distributed apps but you’ll likely never encounter something that is outright fraudulent or a scam.

People who can’t operate a computer will somehow become gods at following instructions if someone calls “from Microsoft”