Depends on whether we are talking about hardened (not dangerous; most common) or non-hardened derivation paths.
With non-hardened derivation paths, it is possible to derive the master private key by having access to a single child private key and the master public key.
But since most (all?) wallets are using hardened paths, this isn't an issue anymore.
It is still an issue.
The standard derivation paths as defined by BIPs 44, 49, and 84 only use hardened keys for the first 3 levels of the derivation path - the purpose, the coin type, and the account. The change and the address index use non-hardened keys. As you say, knowing a child private key and the parent extended public key allow an attacker to derive all the child's sibling private keys.
In practice, this means that an attacker can't go any higher than the account they are in. Knowing the extended public key and a child private key from m/44'/0'/0' won't let them derive the keys from m/44'/0'/1' or m/84'/0'/0', for example. But knowing the extended public key and a child private key from m/44'/0'/0' will let them derive
all the private keys from m/44'/0'/0'.