That sounds to me like they're acknowledging that the feature doesn't work as advertised ("may not align with user expectations"), but also that it was reported as a exploit/security vulnerability, while it's actually a privacy leak. Maybe HackerOne isn't the right channel for reporting those issues?
Certainly, public pressure is another way :)