Having spent some time at Unimatrix 1 in Shenzhen (on contract as a business consultant - for a large American firm - yes lol) I would observe (note that I'm not supporting just observing)...
Besides any deliberate actions that may or may not happen there are a couple of process issues. These arise from a common root in many cases.
1. Chinese configured devices are required to have Lawful Intercept Gateway functionality for obvious uses in China and compliance with local legislation. (Yes boo hiss but it's the local law - I believe Cisco etc. devices also have to comply to be sold there).
2. Sales may have customer pressure on new product in another part of the world so they may divert product configured for China to customers in those markets, sometimes it may not be reconfigured to remove the above functions... it's not SUPPOSED to be there/used. This is a process failure.
3. Product may be configured by default for China which means process failures result in this product escaping - this is a Privacy by Design failure - it should be neutral configured then specially configured for the destination market.
4. Product is cheap in Shenzhen - some 3rd parties will buy up cheap product, stuff it into a container, and send it on a slow boat from China to other markets where it is more expensive. Escape and/or 3rd party product sales failure.
So process failures are one issue - they aren't unique in this respect.
Ok you might think that is some cases product may "accidentally" escape to certain end users - I couldn't possibly comment :-)
I know - The Borg know where I am and are coming to get me. Resistance is futile.
(I am using a VPN).