I'm by no means an expert, but I've recently implemented a small BLE based IoT device, and had a look at the security/privacy of a medical BLE device.

Some points:

* there's a real lack of quality, up-to-date documentation. I would have thought that at least on Linux you'd find some documentation, but most of it seems to be "RTFS".

* BLE is in general very unfamiliar to most developers. There's no client and server, there's central and peripheral. GATT profiles are a mix between TCP connections and binary REST-ish interface.

* Encryption/authentication is possible, but depending on the manufacturer's API/quality of documentation it's not really apparent a. how to select a secure connection method b. how to even check if and which authentication/encryption was chosen

* Coming from the previous point, many BLE devices have the same generic GATT profiles, sometimes with the same sample data. This looks like a lot of BLE devices just copy&pasted sample code from the manufacturer and added the minimal changes "to make it work"

* It's probably really easy to do passive/active fingerprinting to find out the manufacturer and/or chip version used in a device. Default services, ordering of advertising options etc

* Many BLE devices are not conformant. Uninitialised name fields with garbage in them ("Device Name: WHOOP\020��=u5״\023n"), manufacturers using random identifiers that clearly don't belong to them

* when doing passive BLE sniffing: the biggest obstacle isn't getting data. It's how to filter it. One of the most useful filters of the nRF Connect app for android is to filter out all advertisement packages for apple and ms devices, to cut down the overwhelming amount of such devices