I agree with all you said, but I think a 3D printer is actually a special type of concern next to generic cyber security and privacy, because it can affect the physical world. It’s not unthinkable that the machine can remotely be told to heat up beyond safe levels and as such create a fire risk. Not the type of device that should have an open and active connection to a server somewhere far away in my opinion.
My go-to is their “REAL” PLA brand. It’s good quality, is made in NL and comes on cardboard spools.
I am a bit fed up with all the shit they throw in with each order though, there’s only so many pens and stacks of post-its I need. When I remember, I add a line in the notes field to leave it out.