Because the combination of a Zpub plus any one individual private key is enough to derive the Zprv and all the associated individual private keys.

I'd like to understand this completely in reference to a multisig setup.  Let's use a 2 of 3 multisig as an example.  If someone were to have all 3 of the Zpubs and then you accidentally leaked one of your private keys.  Is it possible to derive the 2nd private key?  And if so then the attacker can sign a transaction from this wallet.