Yes it is, to the extent consent rather than legitimate interest is the legal basis or even under legitimate interest if the data meets the GDPR definition of sensitive. I suspect legitimate interest as the legal basis here would be legally invalid in this case, but it would not at all surprise me if Figma were to try to away with that argument.
The GDPR is not actively enforced enough for compliance to be as widespread as it should be, especially by non-European companies but even by European companies. (I suspect that’s part of the reason lobbyists haven’t forced in more loopholes through legislative amendment; the EU and member-state politicians and regulators can look stronger on privacy than they are without actually severely impacting the corporate surveillance and advertising regimes.)
The GDPR is not actively enforced enough for compliance to be as widespread as it should be, especially by non-European companies but even by European companies. (I suspect that’s part of the reason lobbyists haven’t forced in more loopholes through legislative amendment; the EU and member-state politicians and regulators can look stronger on privacy than they are without actually severely impacting the corporate surveillance and advertising regimes.)