There's also no insistence on privacy in the Debian Social Contract or DFSG (not that these would be appropriate places for it, they're mainly about licensing)
> I don't think Debian intentionally shields you from privacy-invading software
There is a culture of valuing privacy though, including patching out privacy issues. Especially since a lot of Debian folks are from Europe, with corresponding GDPR knowledge.
I know that the lintian warnings pointing out privacy issues in HTML documentation do get a lot of patches.
Also, opensnitch is packaged as a mitigation.
You are right about the policy problem, Debian really needs to do something about that.
There is at least a privacy policy for Debian services.
Debian does not mandate anything about privacy in its Policy Manual (which are the standards for selecting and packaging software that maintainers must adhere to): https://www.debian.org/doc/debian-policy/search.html?q=priva...
There's also no insistence on privacy in the Debian Social Contract or DFSG (not that these would be appropriate places for it, they're mainly about licensing)