Internet traffic is one thing but IoT traffic is very specific and can searched on, captured, redirected, stopped, etc.
I get that people are used to the idea that "free" means comes with advertisements, but that's the overly simplistic view and while still applicable in many cases, is now not the point. Command and Control is the point. We think evil robot overloads when it is really a new avenue for thug/mob revenue. It's not that I will push ads down to Alexa for when I say, "Alexa, I'm hungry" and it replies, "We have sun chips on sale today and we can have it delivered in four hours." That may be the future for Amazon, but the real problem is that there is no security between the two points. Even a script kiddie could put a man-in-the-middle attack to where they lock you out of the role and then insert ransomware on all your devices, especially computing devices, door locks and devices. Basically an intruder can make it so that you have to cut power your house and remove all the IoT devices. Has that happened already? I don't know. Is it possible? Yes.
What has happened is that many IoT devices have been zombified (Actually, I prefer the term, "enslaved" because it describes the actions better) to the point that these devices have been harnessed to provide device-based points for concerted DDOS attacks. The owners do not even know their devices have been turned into slaves spewing data focused at a particular site. They may blame the Internet for being slow until someone points to a webtraffic site showing their outbound communication is saturated.
The device makers (the current breed of startups, that is) don't care that they are supplying devices that have mile-wide security holes. As a startup they have only two ideas in their pockets and it's all come from someone's MBA playbook (most likely Stanford or Haas/Berkley).
QUICK ASIDE: At first there was a rush to patent anything and everything with the formula "I do this normal thing" + "on the Internet." But in the past five years, most of these patents have been struck down as you cannot create a new thing by just saying "on the Internet." So it is a losing avenue to just rush out something "on the Internet" and expect everyone to pay you royalties forever.
So with the patent avenue struck down, or a painful long term battle (and let's face it most startups long term plan ends at the time of production and, or sale) ahead, people still wanted to get in the startup game as a quick way to score big bucks before you're 25. And that's the two ideas that are still panning gold. Number one is have a device that is IoT whether or not it is useful now. Just the idea of product
'X' that can be controlled from your phone still draws investment dollars. So now you find people looking at everything in their apartment/house, going 'hmmm, I wonder if I put IoT on it..." So you get the right person from the EE school who can put together a SoC and attach it to product 'X.' Viola, a new business venture.
But now that space is becoming crowded with the devices, so what makes yours unique? People actually using it. So you spend enough to get a help desk support team together to make the device more user friendly because...second idea, you now start collecting user data. Now you've got tracking and trending data, you have perhaps new unexpected use cases but at the end, real user data. At this point you say, yeah, targeted ads. Perhaps but the real point means that these startup companies, the people vested, now have their pivot. Which in startup speak means, an exit strategy. These folks don't want to be running help desks, they want to be rich now. They want to go the clubs and events as rockstars, they don't want the drudgery of actually maintaining a company. So now this data, as a slice of user experience, becomes an asset. This is Nest. This is Wink. This is what most likely will happen to Ecobee. Your user data becomes important to companies that don't have that slice of your life yet.
And this whole time, we not talked about communication security or sanctity of your data. It all comes down the very key point when you put an IoT device in your home, you have to ask the Internet for permission to use your house.And you do so through open channels.
I get your concern, but my response is "OK, say they're collecting all this data...what would they DO with it?" 99.9% of people's Internet traffic is most likely things like posting memes, complaining about politics, asking your spouse what they want for dinner, etc. All of this recorded data gets lost in the crowd, and it's only really useful for figuring out trends. These trends come in the form of targeted advertising...which doesn't really both me (it's how these companies make income to give away free services).
Yes, I know, there's been cases of directed attacks on people based on data collected by companies. But, looking at the amount of data out there, these cases are actually very rare.
If they were using collected data for something like ethnic cleansing or military interrogation, sure, there would be outrage. That's not going to happen though.