No such thing as user privacy against the owners of the service. That's why terms of use have clauses in them about tracking and why employees sign some lovely NDA-like things that say they will have access to private data and should they abuse this access all hell will break loose upon them.

tl;dr you can't have user privacy against someone with admin access to the DB, track away

This is why I ask: signal.org/bigbrother/eastern…

Open Whisper Systems kept the bare minimum of user data and it payed off

I use Segment for the convenience and then route things onwards from there. But regarding what's being tracked I try (at the moment) to send as little user identifiable information to Segment as possible (hello GDPR) while at the same time tracking the main user events that I've found to be crucial, maybe that all needs to be adjusted as well and only be user_ids that's tracked.
We're currently doing a big push at work to comply with GDPR so for the side projects I'm gonna piggy back on that one's I know what the actual limits are.