So, in reality, if I suspected that there was some privacy breach with regards to the transfer of information, I could not prove it. This means that I would have no standing in court (no proof of injury means no standing). This seems problematic, and worthy of examining the privacy implications (or at least discussing them)

how could it be otherwise?

Allow FOIA, and use the existing exemptions for classified material if the information is actually classified. This would mean that breaches of privacy could be found when non-classified information is present.

There seems to be concentration on "indicators" being username/passwords, etc. However, Sec 2 (6) (G) is "any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law;". That's basically anything since cybersecurity threat is defined as "means _an action_ ... on or through an information system that _may_ result in an unauthorized effort ...". That seems to be a rather large hole.

The problem is that none of this information is "classified". PII isn't classified. Zero-day vulnerabilities aren't classified. Classified information is stuff that goes through USG classification process.

So there'd need to be some other regime in place that ensures that no harm is done by publishing information that companies are voluntarily sharing with the USG.

What would that regime look like?

I'm also not really convinced that there's a problem with the catch-all at the end of Sec.2(6) --- that's enabling companies to share things they were already allowed to share, and just bringing it under the same set of controls as the new sensitive stuff they can share. How is that a loophole the USG can exploit? What does that loophole look like in practice, in actual use?