They can, but that’s not the point.

1) there may be limited privacy if you didn’t KYC from the start or tumbled it later.But that’s probably only pre 2017 holders.

2) if the corpus of BTC blockchain has the CP on it then anyone running a node may be guilty of transmitting it.

This is not good.