I'm a little confused about how we have gotten to the leaking of a private key?
Because the combination of a Zpub plus any one individual private key is enough to derive the Zprv and all the associated individual private keys.
It 100% impossible to obtain A private key from a Zpub(or any derivation of a master public key).
Correct.
And to my original question...In the case of a multisig wallet if someone stores all of their Zpubs in an unsecure place, the only risk is privacy, correct? You are just giving someone the ability to create a watching-only wallet, correct?
Mostly correct. There is a hypothetical security risk in the scenario described above where you have accidentally leaked a private key, and there is the also the concern that if someone can recreate your watch only wallet and see how much bitcoin you own, that they may target you specifically for further attacks.