Per J-Mo's comment in https://lists.wikimedia.org/pipermail/wikimedia-l/2017-December/089408.html: "if the welcome bot is pulling from a public log to send these welcomes (as it must be), then the potential privacy violation occurs regardless of whether a welcome is sent, and the fix, if deemed necessary, needs to happen upstream."
This issue arose because users who create an account on one wiki, and then browse to another wiki while logged in for the sole purpose of reading that wiki, may experience a welcome message being placed on their talk pages immediately following the user reading that other wiki.
If a public log entry that indicates that a user account has been auto-created, does that constitute a privacy violation? If the answer is yes then the log entries either should be hidden or should not exist. (No one is disputing that after a user creates an edit as logged-in user that the existence of the account on that wiki should be public.)
I am tagging this with Privacy and Legal with the hopes of getting an appropriate person, probably a WMF attorney who addresses privacy matters, to review this situation. Note that even if the attorney's opinion is that the public nature of the log entry of the auto-created user account is permissible under current policies, the policy itself could be changed; that discussion is something that would happen off of Phabricator.