It's probably due to one of those reasons,
1. You need to trust the exit node.
2. Unless you and other node use encryption (this is recent addition based on BIP 324), the connection isn't encrypted.
3. Theoretically anyone could run exit node, including government and analysis company.