Publishing (or leaking) a derived address/privkey pair allows anybody to use the master-zpubs to generate the master-zprivs and with that, any private key that can be derived by the master private keys.
Leaking a single private key would only allow an attacker to use that private key and the corresponding master public key to derive a single master private key. In the case of a multi-sig wallet, funds would still be safe since the attacker would only have one master private key, and not the threshold number of master private keys. For the coins to be at risk, OP would have to leak multiple private keys derived from different master private keys, which is very unlikely if his multi-sig wallets are all stored separately (as they should be) and he takes reasonable security precautions.
Throughout this thread, people are using Zpub and zpub interchangeably. They are not the same thing. zpubs are for P2WPKH addresses, Zpubs are for P2WSH addresses. See here for more info:
https://github.com/satoshilabs/slips/blob/master/slip-0132.mdI'm only talking about Zpubs. I'm a little confused about how we have gotten to the leaking of a private key? It 100% impossible to obtain A private key from a Zpub(or any derivation of a master public key). And to my original question...In the case of a multisig wallet if someone stores all of their Zpubs in an unsecure place, the only risk is privacy, correct? You are just giving someone the ability to create a watching-only wallet, correct?