Obviously buying kyc from an exchange exposes you to the exchange.
However unlike Bitcoin they have no idea where you send the XMR afterwards.

Connecting to 3rd party node does NOT expose your transaction history or anything about your wallet.
Your wallet *will tell the node the last time it synced, ie from what block it wants information. not really a big deal.

The biggest issue can be that if you broadcast a tx to a malicious (customized for chain surveillance) node it can know the true input(s) to that tx.
Which could be a problem if you *did buy KYC from a CEX and turned right around and spent using that malicious node and the node runners were coordinating with that CEX.
They wouldn't know where the transaction went, but they would be able to see that it was you that sent it.
If that makes sense
And it wouldn't work if you had moved the coins between the CeX and spending them with the adversary's node.

So yeah there are edge cases where its possible to screw up your privacy if do very specific things and happen to be unlucky 

nothing is completely drool-proof