Having worked professionally in security and incident response for 15+ years now, this take is not just spot on, but might be overly optimistic.
I can't tell you how many large, well known companies I have worked with that either intentionally mislead, downplay, obscure or straight up lie in these types of notifications.
I have had legal teams tell me that they don't have to notify customers of a breach because an event happened on their test/dev systems, or a developer was compromised and not their actual service.
I have had companies intentionally not give information (like what an attacker was able to exfiltrate from a particular set of customers) that would been extremely helpful to inform or assess their risk. Instead they put out a generic "sophisticated attacker compromised our system, but no credentials or PII from our application were stolen".
I can't tell you how many large, well known companies I have worked with that either intentionally mislead, downplay, obscure or straight up lie in these types of notifications.
I have had legal teams tell me that they don't have to notify customers of a breach because an event happened on their test/dev systems, or a developer was compromised and not their actual service.
I have had companies intentionally not give information (like what an attacker was able to exfiltrate from a particular set of customers) that would been extremely helpful to inform or assess their risk. Instead they put out a generic "sophisticated attacker compromised our system, but no credentials or PII from our application were stolen".