Should be noted that a lot of companies have absolutely no idea what was actually stolen due to insufficient logging.

Talking to the threat actor usually means getting some of the required info for GDPR.

He claims the blast radius is bigger, not just Linux. He also claims to be in talks with Apple. So the educated guess would still be openssh

If they receive a notice that there is illegal content, that it should be removed and then refuse to cooperate?

Then yes, e2e is not under fire, not cooperating in moderating/Removing known criminals is

He was not arrested for privacy, there are huge open groups on Telegram for piracy, csam and cyber criminals.

These groups are not encrypted, everything is stored in plain text on their servers. He is being arrested for not removing/moderating this content.