I would warn users again using Whirlpool since it creates "toxic change" that can be used for tracking future transactions and reveals common input ownership
That's why it's called "toxic", so you avoid consolidating it with the coinjoined inputs. In fact, in Sparrow, it's pretty much impossible from the GUI to create a transaction spending both the toxic change and the coinjoined inputs.
However, these tracing tactics of common ownership and change outputs are solved by WabiSabi coinjoins. Wasabi Wallet, Trezor, and BTCPay Server all support WabiSabi coinjoins.
I would warn users on using Wasabi, as it's caught into being flawed software:
https://twitter.com/wasabistatsIf the given exchange does not require the KYC procedure to go through out, why not.
The answer is as simple as "because it isn't designed to do it". Exchanges share tons of stuff, which user owns which addresses, trading volumes, etc., with governments and chain analysis companies. As I've already shared, there's even a site[1] which takes as input an address and returns you to which exchange it belongs. It's also more expensive.
[1]
https://www.walletexplorer.com/