It’s worse from a privacy-perspective because at least in your example, the user could just send funds to a z-addr and then send funds to their intended recipient. In that case, the exchange wouldn’t really know what you do with the funds other than withdraw them to a specific starting address. But if the exchange is just doing database changes and not actually doing any on-chain transactions, that’s worse.