I think the work that Cesium and the team are doing is great. My employer has a cesium ion account and it is possible that in time we may post content which we consider sensitive or proprietary. I hope to better understand the boundaries between the contributor community and the company.
Thanks for the kind words! Posting your asset ID does not enable anyone to access your assets. In order to access assets in your ion account, a user would need an access token that gives them permission to see that particular asset. So if you have a web CesiumJS web app that displays your asset, it would be using an access token to give the client this permission.
When you create an access token you can specify which assets it has permission to (so you can allow an application to access one asset without accessing everything in your account). So nothing in your account will be publicly available unless you publicly post an access token. Access tokens can also be revoked to revoke access.
Employees of Cesium access assets only when you reach out to us for a support issue, and only for the assets that have an issue. I hope this answers your question! The privacy policy here details everything as well: https://cesium.com/legal/privacy-policy/