I did some additional testing. My results are very different than before. Perhaps I have fooled myself into seeing what I was expecting to see.
My test subject was John H. Peters, born 8 Oct 1843, died 8 Mar 1890. In my production database, there is a light bulb with two WebHints for MyHeritage, a record match for the 1850 census and a tree match.
- I created a new, empty database and hand entered all the data that follows. Nothing was copied over from my production database.
- I entered John H. Peters. No light bulb.
- I added a birth date of 1843. No light bulb.
- I added a birth date of 1843 and a death date of 1890. No light bulb.
- I deleted the death date and changed the birth date to 8 Oct 1843. Light bulb for the tree. That's not much data, but there was a WebHint anyway.
- I changed the birth date back to 1890. The light bulb went away.
- I added a father of John W. Peters with no other data. No light bulb.
- I added a mother of Ruby (her full name was Ruby M. Smith, but the census doesn't care about that), and the light bulb appeared for the 1850 census. It didn't need a birth date for either John W. Peters or Ruby, But it did need both of them. John W. alone as father or Ruby alone as mother wasn't enough. It needed both of them. And they worked even though the 1850 census doesn't explicitly identify family relationships.
If I copy the MyHeritage URL for the WebHint matches (including the weird hash string) and paste it into a different browser, I do see the limited amount of data that I have entered for John H. Peters into my test database. But unless I post my URL, you all shouldn't be able to see the data from my test RM database. If you all repeat my experiment with the data I've included in this message, you should be able to see the data from your RM database. The data will be the same, simply because I've shared it with you in this message. But you shouldn't be able to see the rest of my data, such as the birth place for John H. Peters or the death place or the burial date and place, etc. And you could even post your URL with its weird hash string so the rest of us could see your data that you just entered for John H. Peters. But it's hard to see how you could see my data unless I were willing to share my URL with my hash string. So the process seems pretty safe to me at this point (well, unless you get the exact same hash string with my data as I get with my data).
Nevertheless, it remains the fact that my data is being stored on the MyHeritage server even though I didn't upload it - hopefully in such a way that only I can see it. But I didn't explicitly create a tree or otherwise explicitly upload my data. It just got uploaded and kept automatically as a part of creating my light bulbs for me.
Furthermore, if I confirm a match, it can never delete my data after an appropriate timeout period or else the confirmation will go away.
Finally, nothing in this last round of testing seems to have anything to do with RM's Unique ID. Since I made a whole new database and didn't drag and drop anything into it, the John H. Peters in my test database had a different Unique ID than in the John H. Peters in my production database.