“security checks have never included the user’s Apple ID or the identity of their device. […] we have stopped logging IP addresses associated with Developer ID certificate checks, and will ensure that any collected IP addresses are removed from logs.” support.apple.com/en-us/HT20…

"We have never combined data from these checks with information about Apple users or their devices. We do not use data from these checks to (etc)" sounds like an admission that they could.

Key to me is the (planned) option to allow for an opt-out

Sure, but it reeks of "we got caught so we'll take a step back". It will be up to the user to opt out, and there'll be some message saying "Are you sure you want to opt out of keeping your device secure?" with the onus of understanding the impact being on the user.