The potential ramifications of this in post-Roe America can't be overstated. This means law enforcement in a red state where abortion is illegal could get access to a woman's location data and weaponize it against her if she sought out-of-state abortion care.
IMHO this needs a third column, many automakers telemetry APIs are unauthenticated. All one needs to do is see what request the car is making and mirror that with a VIN of your choosing. These are "protected" by the CFAA but there is no enforcement or conviction