Adding the client tag does not really change the security or privacy too much. IMO

Almost all clients have a distinct way they construct events (order of tags, supporting hashtags, mention tagging, etc) so it wouldn't be to difficult to fingerprint events and guess what client constructed them.
We kind of already do this in the nostrability repo when trying to figure out what client created bad or incompatible events

I made it opt-out because it wouldn't be very effective if every user had to go digging in the settings to turn it on. and as I said above it does not change much for privacy