I do see your point but let’s say for the sake of argument that:

Case 1: the logged in user doesn’t actually have access to ‘all’ of his data so this might count as an extra measure and prevent a false login on getting all the data. The ‘fraud’ loged in user might see part of the data ( whatever the Admin has decided to be on a profile page lets say ) but there’s no ‘export’ of everything ( far fetched I know but happens ?? ). By giving him an automated option then you’re freelly handing everything over. Plus some might want 2-3 steps for verification before a download ( even if logged in ).

Case 2: let’s take under consideration that not all servers are equal so an automated process might be a bit clunky on a server that doesn’t have resources to handle multiple exports etc and even end up making more bad than good at the end. This was actually 1 of the case it was decided to not be automated.

It is still a valid point though and it seems that an automated way could be helpful on some situations as well. But it should have an ‘on/off’ switch in my opinion so both ways ( automated or not ) can be decided by any given Admin ( even though I’m in favor of the manual only hehe ).

It sounds like the direction is that this should be a plugin, rather than core functionality.

You have a good point, an automated download could be a security issue.

But an automated export via email (with an on/off switch, indeed) would provide great value to:
1) the User with instant access to his data
2) the Admin that would not have to do a repetitive, constant action
3) the GDPR compliance, preventing cases when the Admin fails (for any reason) to reply to requests