There's a world of difference between visiting links hallucinated by an unreliable ai and having a third party store (and possibly sell) every single thing you say to an ai and tying it to your identity, forever.
Also there is nothing about that attack that makes it iinherently only applicable to self hosted models.
That specific attack requires adversarial inputs crafted crafted against gradients so only works against open models (requires known model weights). There are dangers that include leaking PII from your current context, but also worse if you are using the model with RAG or with other types of system access so I don't think it's as innocuous as you are assuming.
Also there is nothing about that attack that makes it iinherently only applicable to self hosted models.