There is actually no difference, only a difference in intent.

The problem is similar to that of government efforts to ban encryption: if you have a backdoor, everyone has a backdoor.

If Meta is collecting huge amount of user info like candy (they are) and using it for business purposes (they are), then necessarily those employees implementing those business purposes can do that, too.

You can make them pinky promise not to. That doesn't do anything.

Meta has a similar problem with stalking via Ring camera. You allow and store live feeds of every Ring camera? News flash: your employees can, too! They're gonna use that to violate your customers!