The users are going through an OAuth flow and creating an account. Presumably they are agreeing to a ToS as part of that.

It even says in the OAuth flow that the company is requesting your profile image.

It's a public photo. What's wrong with downloading it?

Folks, read yourself some GDPR for the greater good. Even just https://gdpr-info.eu/art-4-gdpr/

Public data can be personal data and anyone doing the same as TFA is making itself a liable processor. But, aren't you a processor by using OAuth in the first place? Yes but with what TFA is doing you have a greater liability surface.

(IANAL but I cite GDPR because the broad concepts apply to data privacy laws in other jurisdictions. See also: https://en.wikipedia.org/wiki/Brussels_effect)

I don't live in Europe, I will never travel to Europe, I don't plan to ever do business with Europe. I don't care if Europe sentences me to be shot into the sun for GDPR violations, it's not like I'm going to be extradited for it.

And I'm not aware of any law anywhere here that says I can't download a public photo. The use case is clearly valid and benign, the photo is public, there's no way a judge would go for that no matter how you twist the law.