Um, well yeah. This is the case any time you give data to a third party. They now have a copy, and you can't control what they do with it.
Even doing an audit wouldn't necessarily reveal anything. If somebody has data that they want to hide I'm not sure how much can really be done to force them to reveal it.
If the price is high enough, bad actors will be willing to breach NDAs/CDAs/licensing agreements/etc, but at least then you can be seen as having done more than zero.
Might have been prudent here.
This doesn't stop external attacks, of course, but it can reduce internal risks.
Facebook could have had more than zero control, if it had wanted.