Users can be migrated, although it is easier if the identity is separated properly. Webfinger does exist to solve a lot of the migration headaches by allowing a well-known place to link all of your services to a common identity. You want to migrate? Just link to that new service. You then have to multicast some announcement, which is the hard part, and messy... but possible. Webfinger is usable from status.net, rstat.us etc etc... but they also allow you to host your identity with them.
Your privacy argument thus holds true for email as it is a pull system where your email can be read by any intermediary server. You solve this problem in both instances with keypair encryption. The problem is not a technical flaw (closed, centralized systems are opaque about your data, which can be seen as worse.) but rather a flaw in presenting and educating people to use secure practices if privacy is desired.