IMO this is unfair for GPL or similarly licensed code.

Seems ok for MIT like licensed code though

Things being public should not be enough. just because someone leaked your medical information to the public via a data breach should not make it fair game. There should be some rules.