The thing that gets me is the slope between "we monitor for security" and "we harvest for training data." The first has a clear threat model: here's the data, here's who can access it, here's the retention policy. The second turns the employee into a permanent unpaid contributor to a model they'll never see the weights of. Different economics, even if the capture mechanism is the same. Consent language probably hasn't caught up.