You are right; companies do tell users how they use the data.
If I want to know who bought my data in the last month, Google (etc.) won’t tell me a thing. And there are nefarious buyers out there. I don’t want to get (geo)political, but the Wall Street Journal (don’t believe everything you read) published a few articles in the past of foreign agencies, with government funding, that have hacked into all sorts of important systems. For example British voting records and US utilities.
In wartime, or simply to distract from world events (Ukraine, Israel, perhaps Taiwan), mis-use of personal information can be powerful and nearly undetectable (don’t believe everything you read). (To get un-political: I mean to say mis-use happens globally, everywhere and all the time - I realize there is emphasis on potential election interference in the US; this is not my intent.)