In the oposite, by completely hiding change addresses, some attack vectors are possible. Let's imagine hacked client which sends all coins from change addresses to BIP32 address on index 2^32, 2^32, 2^32, 2^32. Although these coins are still owned by the user, good luck finding the address used in change output...
So that'd just destroy the money, right? What is the attackers motive? Is it not possible to heuristically detect such shenanigans?
I think ease of use is really important, moreso than being immune to every possible attack. The book "Security & Usability" by O'Reilly is a superb manual to how theoretically secure systems end up being broken because they were too complicated or awkward to use. If a user can be confused by the output on their device, they will just end up blindly confirming things they don't understand and the whole thing gets a lot weaker. SSL suffered this fate.