I don’t understand the privacy implications.

At what point have you just “become” whomever you are impersonating? Is there an advantage to the proverbial Man tracking your alter ego, if said alter ego is your public face 100% of the time?

It’s safer to assume “yes” and check your router, but the CVE links indicate compromises through the web portal of the device, and there is no way to compromise that from the Internet if your router is behind a NAT without a hole punched for web access.