I don't agree that privacy was an afterthought before then. There were a lot of internal controls and privacy considerations had been a part of the design process even when I first joined in 2006. Of course the level of effort ramped up over time as the company grew. The primary constraint then as now was simply that most users trust tech firms, don't include them in their threat model and will reject even tiny amounts of inconvenience in the name of privacy. So that really heavily constrains what can be done. For example it kills most attempts at proper end-to-end encryption, leaving us with this sort of strange pseudo-e2e-encryption that's more a legal hack than anything serious (the company that supplies you with the encryption equipment is your adversary, which makes no sense in any classical conception of cryptography).