from the hackerone report I mainly see a security risk - imagick starts like a normal child process at the OS level and runs kind of outside of control of Nextcloud. this allows to craft attacks using malicious content embedded in rich formats imagick understands.
privacy is a side effect of the problem as shown in test.heic. if the attacker knows/guess a OS local/internal file name she has no access to it she could create a preview of this file using internal path (e.g. user bob stores a file passwords.txt on his root level alice could access this file using a reference to {nextcloud_files_root}/files/bob/files/password.txt revealing the contents of this file…