Sure, but if one in a million people bothers to check what it is actually sending through their router, then any malicious activity would get detected and disclosed to the public - and since that hasn't happened, we can assume that it isn't happening on a large scale.

There is of course a limit to how much damage a device with such limited capacity can do.

And with the amount of tinkering that happens with these, if it were calling home someone would really have figured it out by now.

Some stick them on unrouted lans. But that may not preclude mesh like activity between restricted and unrestricted ESP-32's that are close enough to see each other.