Obviously buying kyc from an exchange exposes you to the exchange.
However unlike Bitcoin they have no idea where you send the XMR afterwards.

Connecting to 3rd party node does NOT expose your transaction history or anything about your wallet.
Your wallet *will tell the node the last time it synced, ie from what block it wants information. not really a big deal.

The biggest issue can be that if you broadcast a tx to a malicious (customized for chain surveillance) node it can know the true input(s) to that tx.
Which could be a problem if you *did buy KYC from a CEX and turned right around and spent using that malicious node and the node runners were coordinating with that CEX.
They wouldn't know where the transaction went, but they would be able to see that it was you that sent it.
If that makes sense
And it wouldn't work if you had moved the coins between the CeX and spending them with the adversary's node.

So yeah there are edge cases where its possible to screw up your privacy if do very specific things and happen to be unlucky 

nothing is completely drool-proof 

 Realizing that I screwed up this explanation

The Eve-> Alice -> Eve attack I describe is always possible and has nothing to do with a malicious node>
That is to say
if the person you receive the Monero from and the person you send it to are colluding
they can eliminate the decoys in the ring signatures and see the true outputs

The danger with a malicious node is just that if you connect to broadcast a tx without hiding your IP somehow they can see that IP sent that transaction.
Which is usually true with other chains anyway
but Monero uses dandelion which prevents knowing what node broadcasted what transaction in most cases

🙇