I got an ad once for a group selling stolen credit card numbers too. I must have reported it at least a dozen times but it was always kept up and the report said it didn’t break any rules. It only got removed after I just skipped Facebook reports and reported to the police.
I’ve been wondering this too. Will there be a way for company policy admins to somehow remove this fully? I work in an industry that deals with very sensitive and private information - no way in hell this would ever even remotely be allowed or pass any audits. Even just existing but being disabled could be problematic.
But big companies aside, how will this impact small companies who have no real in house IT? The potential for it to be capturing and storing stuff like, as you say anything required by PCI compliance, could turn into a nightmare. We also know this will inevitably be hacked or used by spyware somehow, someday, too no matter how secure they say it may be. So now a bad actor can recall an entire day work and data capture from a worker?