You might find it surprising, but at Google it's common to do things like not returning anything when aggregating data from a small number of users. That's before even looking at projects like RAPPOR or ESA. Source: I had access to sensitive data many years ago.

The regulatory costs of GDPR mean that for every piece of log data, you want to think about whether or not you really want to keep it.

If you don't have a good business case for keeping it, you're often better off erring on the side of deletion.

Both the breach and the fix happened months before GDPR went into effect, though.

Generally you want to build systems in compliance of future regulations before they kick in. GDPR at big companies is a multi year effort.

Even before the GDPR, Google had to contend with the NSA / GCHQ illicit access events and the China hack.

They had plenty of experience to suggest to them that keeping highly-detailed logs around indefinitely could do more harm to their users than good.