I’ll pick stupid, slightly less efficient, but PRIVATE any day. This being said, there’s no reason why occupancy sensors can’t talk directly to a thermostat that doesn’t divulge personal info to third parties, yet is directly accessible over the Internet. Spyware doesn’t need to be included for efficiency, or can be opt-in.

Keep in mind that with IPv6, direct communication between devices on the Internet without third-party mediation will become super easy. (IPv6 theoretically allows every atom on the surface of the Earth to have a static IP times 100).

As far as the utility programs, a correctly designed thermostat could poll a server run by the utility for instructions rather than the utility accessing it directly. One could install 3rd party code (i.e. “an app”) on a given thermostat to do so without any privacy risk.