CVEs are not the be-all-end-all of information security. CVEs are usually assigned to software that is distributed, not to web-based SaaS products, social media services, or similar, which are all the places where EXIF data leaks come into play.
For example, there was no CVE issued for the security flaw that leaked private information of 530 million Facebook users before 2019 [0], but that was obviously a significant security flaw.
Edit: Also, regarding "privacy is not the same as security"—the line is a lot fuzzier than you think. At my org the same team ("infosec") is responsible both for the security of our products and the enforcement of rules regarding PII, because they're tightly interrelated—the main concern with security incidents is that we might lose PII. There's a reason why one of the 7 data protection principles in the GDPR is security [1]—without it there is no privacy.
For example, there was no CVE issued for the security flaw that leaked private information of 530 million Facebook users before 2019 [0], but that was obviously a significant security flaw.
Edit: Also, regarding "privacy is not the same as security"—the line is a lot fuzzier than you think. At my org the same team ("infosec") is responsible both for the security of our products and the enforcement of rules regarding PII, because they're tightly interrelated—the main concern with security incidents is that we might lose PII. There's a reason why one of the 7 data protection principles in the GDPR is security [1]—without it there is no privacy.
[0] https://www.npr.org/2021/04/09/986005820/after-data-breach-e...
[1] https://gdpr.eu/what-is-gdpr/?cn-reloaded=1