It seems a bit like the FBI warning at the beginning of DVDs, the only people that are going to be bothered by it are people that were going to play by the rules in the first place. The privacy was already lost, you can't increase it again retroactively.

The ones marked sensitive have more a pattern of "we don't want to be caught in a court caste about hosting the info" than a pattern of trying to improve privacy in the ways this thread is suggesting.

The lookup doesn't tell you anything more than someone exists in a breech. You'd still have to have the data itself.

If you have the data itself, then lookup is as simple as 'grep' or 'ctrl-f'

So anyone who has the means to compromise someone they're looking up by having the data doesn't need the HaveIBeenPwned tool in the first place.

Moot point, IMHO.

what if I use HIBP to check if any of my friends had registered accounts on a Furry Findom forum, which was recently breached? It's potentially embarrassing.

I'd argue reasonably smart people would use a different, non distributed/shared email address for sensitive things like fetish sites...

...and that your friends deserve a better friend than someone who would look up their email addresses to embarrass them.

This breach would be marked as ”sensitive“, so you wouldn't be able to look that up without confirmation of ownership.

You can't, because that specific breach has been marked as sensitive: https://haveibeenpwned.com/FAQs#SensitiveBreach