All right, I have found my correspondence with the ombudsman commission and this is how I understand their position.
According to WP:DOX "Posting another editor's personal information is harassment, unless that
person has voluntarily posted his or her own information, or links to
such information, on Wikipedia." So the standard here is "voluntarily posted".
But it appears that "voluntarily posted" is not the standard used by the ombudsman commission. According to the ombudsman commission, anyone can publish non-public information about someone as long as it is "based on simple guesses". The burden of proof is on the person being doxed to prove there was a chain of transmission. So I can say "Foo is gay", "Foo is Jewish" or "Foo's real name is John Smith", or "Foo lives in Hill Valley", and as long as I say it was just a lucky guess, this is not a problem, Foo just has to live with the information being public. Likewise if Boo finds out that Foo is gay and suddenly Boo's best friend Fee, as well as Fie, Foe, and Fum, who all belong to a private WMF mailing list, all start posting to Wikipedia that Foo is gay, or Jewish, or their real name or whatever, this is not a problem to the WMF because Foo is not able to prove where the information came from.
Likewise with IP addresses. If you edit logged out, revealing your IP address, or if there is a bug in the program that logs you out and then allows you to make an edit without notifying you that you are editing logged out, as the beta version of HHVM (Hip Hop Virtual Machine) used to do, this edit is considered to be "information that is publicly available on the projects", even if the edit is immediately suppressed. Someone can then write a program to stalk a particular person, and collect these suppressed edits, then post the Wikipedia user's geographical location to eternal websites, and the ombudsman commission does not consider this to be problem.
The instructions for dealing with a dox, according to English Wikipedia WP:DOX, are "If you see an editor post personal information about another person, do not confirm or deny the accuracy of the information," where with the ombudsman commission you are required to provide proof that the personally identifying information is accurate and find the website or email the information came from before they will consider suppressing it.
So apparently the WMF privacy policy standards are quite lax, at least in practice, compared to the standards of the English Wikipedia. However the arbitrators of the English Wikipedia are not willing to enforce, or even abide by the WP:PRIVACY policy (which is a policy, not a guideline). And once the arbitration committee gets rid of someone, they are not concerned with whether they are doxed, either on wiki or off, and any user's expectation of privacy can be de facto revoked, retroactively, simply by banning them.