Some concerns about PII: send_default_pii not being completely used, silent update on transactions capture with potential PII

[pbernery]

Issue Description

I report some concerns about PII, after discovering some data on Sentry that I didn't know was captured.

I enabled Sentry Transaction/Performance 2 years ago. At this time, only the controller action were reported if I am not mistaken.
Some month ago, I upgraded from 5.7.0 to 5.16.1. I usually read the changelog to check for any important changes, particularly around PII.

I discovered some weeks ago that the params of the controller actions are now captured. Some investigation on my side showed that this is coming from #1973, which was reported as "Fix sentry-rails' controller span nesting", without mentioning this update on capture if I am not mistaken. This PR was introduced in 5.8.0.

Also, the send_default_pii option (https://docs.sentry.io/platforms/ruby/configuration/options/#send-default-pii) is presented as is:

When its value is false (the default), sensitive information like:

• user ip
• user cookie
• request body
• query string in the url

won't be sent to Sentry.

which is not true here, as params is the body of the request. I expect this option to hide params in transactions, and probably in other parts.

What's your point of view?
Did I miss something in the release notes or any other news channel?

Reproduction Steps

• upgrade from 5.7.0 to 5.16.1,
• params are added as span tags,
• content is displayed on Sentry interface.

Expected Behavior

• changelog mentioning any changes that may impact PII or any other data captured,
• see these changes as breaking changes, and thus upgrading the version accordingly.

Actual Behavior

• changelog not mentioning this critical change in captured data,
• version not increased accordingly.

Ruby Version

3.3.4

SDK Version

5.21.0

Integration and Its Version

No response

Sentry Config

No response