That's one footgun, but then pushing that into production and actually deleting things rather than queuing them to be deleted later after a sanity check until the system is stable, and not informing users that the 1 year policy existing, (probably) not documenting that the expiry exists, not testing 'what happens if we pass in null?', etc are a whole series of mistakes.

This was less "Oh look, a rare edge case that was easy to miss!" and more "We don't bother putting guardrails into critical systems. Oops!"