They're anonymous usernames the app had them make and they were told don't use anything shared elsewhere and I googled and there's not any uniquely identifiable people from any of them.

They seem generic enough that I think it's okay, but you're right there is no need in including them and I should've caught that in the AI output, thank you!!

I think including specific stories is already an ethical hacking violation.

Including the pseudonyms associated with those stories creates unnecessary risk of, and arguably incentive for those individuals.

I also just don't get the mindset of dumping something like this into an AI tool for a summary. You say "a 300MB JSON file that (hopefully) only exists on my computer" but then exposed part of that data to generate an AI summary.

Having the file on your computer is questionable enough but not treating it as something private to be professionally protected is IMHO another ethical violation.

I don't see the need for the AI output to begin with. Normally pen-testers just demonstrate breaches, this is more like exposing what users do on the app.