I agree that there needs to be trust, and it think it should preserve privacy in every possible way. I agree with the principles you have put forward. However, as it relates to protocols, whether it is the DP-3T or the TCN, I think there are other ways we can preserve privacy.
I do wonder, though. In your statement you said that de-identified or aggregate data should be used whenever possible, unless it will not achieve the defined purpose. If I take that same approach, then we're going to abide by these ideas unless we have to say, on balance, that in the public interest overall, the app won't achieve the defined purpose if we have an opt-in system only. If, instead, an opt-out system would get the adoption rates we need, would you be opposed to that?