As someone, who has finally got my first taste of remote work – this seems a bit low to me.
To answer the initial question, can this feature get abused for OSINT? I’m doubtful it can. This is certainly state of the art privacy by design: showing a profile name and picture while preserving the E2E confidentiality (server-side data being stored encrypted) and disabling OSINT availability.
This is good step in the right direction, even if only half baked. It would be better if their solution was E2E encrypted, like Protonmail provides.
As already mentioned, ProtonMail (which Cambridge Analytica’s former CEO Alexander Nix claimed his company used to keep emails secret) offers self-destructing email complete with end-to-end encryption when emails are sent between account holders.
I have used WordPress almost exclusively for years now. I have looked into Ghost in the past and it looks promising with the latest release.