You don't consider exploiting 2fa fail-open being triggered by deplatforming by their 2fa provider being used to mass password reset accounts and vacuum up their private messages not a security circumvention?

What about using a arbitrary content type upload on their video subdomain to implement an XSS attack to allow them to download all videos, including ones sent privately between users?