I'd think also almost zero. A lot of sleazy data collection operates under at least some fig leaf pretense of user consent, in this case there's none. Once the vulnerability is discovered, Apple could find out if you've deployed such code more or less ever. Then you'd probably have problems bigger than just a contractual dispute with Apple.

Maybe some devs are allowed to do this. And that's why it wasn't patched.