Correct. Inevitably my employer, my physician, the government, etc. knows things about me. If I want to be paid, they need my bank account (I work for a very large company, it would be impossible to pay everybody cash - nor I want it). It's OK that if the government provided me vaccines, it records what I was inoculated and when (and there are more vaccines than the COVID one). I pay taxes, so they know how much I earn and what I own - and property records also help to avoid people can take your properties and money away at will.
But they have a duty to use them only for the reason I am obliged to give that to them, and not collect more than is needed. And they also have to protect them from any kind of illegal access. May data leak occur? Of course - that why GDPR asks to protect them or you can be fined heavily, and report illegal accesses quickly.
I don't give away my data for stupid reason, thereby I'm far more worried other people give away my data for stupid reasons. My telephone number and email address (and other data) may be in other people records. Data hoarders like Facebook, Google & C. has no right to access those information - bu they do.
Just before COVID struck I refused to have my ID card recorded to enter a large Christmas fair - they told me it was for "security reason" and I could not enter otherwise - I pointed out that if I was a terrorist the X-Ray scanners and police controls were enough, and I wasn't going to let them have my data, if a policeman was going to check my ID card it was OK, a fair organizer recording my data was not. I preferred to return home.
Sometimes I don't understand why people are terrorized by government records, and have no problem with the total data hoarding made by commercial companies without any check. People willingly gave their data name, address, place and date of birth, civil status to enter a fair.
PS: all my answers to account recovery questions are made up, and usually using alternative and creative meanings of the question themselves - and different for each site. Yet you do this only when you truly understand the privacy and security implications of that all. Just like banks, you always have to know those companies work to extract money/data from you, not to be helpful.