Ahh that's a great question - it's a very real risk. In my mind, most of the data these companies have is sourced from other companies so all that these vendors do is increase the surface area for the attack vectors. And the (probably naive) hope is that the attackers can't do much with data such as trust scores and the underlying factors.