Copying production data to dev is widely regarded as being a bit of a bad idea, if the data contains any information that relates to a person or real life entity.

Uncontrolled access, inability to comply with "right to be forgotten" legislation, visibility of personal information, including purchases, physical locations, etc etc.

Of course sales, trading, inventory, etc data, even with no customer info is still valuable.

Attempts to anonymise are often incomplete, with various techniques to de-anonymise available.

Database separation, designed to make sure that certain things stay in different domains and cant be combined, also falls apart if you have both the databases on your laptop.

Of course, any threat actor will be happy that prod data is available in dev environments, as security is often much lower in dev environments.

Caveat emptor.