European data protection law, namely the GDPR, lists as one of its core concepts the principle of privacy by default.
I think, the option hide user profiles from public should be ticked by default for new Discourse installations.
If user profiles are shown by default, users should be at least informed in the ToS to be confirmed at sign-up (up to every Discourse admin).
Then if user profiles are public by the configuration of the forum, users should have an option in their profile to opt-in (privacy by default) to be part of the listing of public profiles.
I am convinced the last option is really important for European Discourse installations. Note that the server location does not play a role here. It’s about the intend to have European users.
Confidentiality is part of security. Hence, European authorities could see public profiles without user consent as security breach or breach of personal data. That’s why I think this issue is more a bug then a request for an enhancement.