The disagreement follows from the choices Atlassian is making in regards to PII, which are very inconsistent.
In general, there are three distinct roles defined in the GDPR: the Data Subject (the natural person to which the PII applies), the Data Controller (the entity that requests and handles the PII from the data subject) and the Data Processor (the entity that does a specific task with that PII on behalf of the Data Controller).
Atlassian is in a bit of a tricky spot: it does business with both individual users (making Atlassian the Data Controller) and companies (for which Atlassian is Data Processor, and the company itself is Data Controller on behalf of the employee). To complicate things: Atlassian has decided to enforce an Atlassian ID for all users, meaning that regardless if you are accessing the Jira Cloud instance of your company, you, as a data subject als go into an agreement with Atlassian with Atlassian being the Data Controller.
This mixup makes it really hard: normally, if I were a employee of a company I would be able to ask for removal of my PII upon resignation. The company is than obliged to remove my records from all systems, including Jira. However, because Atlassian is using Atlassian ID, it means my relationship with Atlassian could in theory live beyond my commitment to the Jira Cloud instance of my employer. I could have used that same ID to sign up for a different service within the Atlassian sphere, say BitBucket Cloud.
To fix this problem, Atlassian has embarked on a mission to A) irradiate their systems from PII as much as possible, B) create very complex privacy settings (incl. UI option for each different state) that will make APIs behave differently based on the privacy settings of either the company or the individual user, C) create PII records API for interfacing with 3rd parties (vendors) to allow them to trickle down requests for data removal via Webhooks and D) update all legal documents to make sure everyone in the Atlassian sphere plays by the same rules.
From that perspective, it is really strange to see that Atlassian has taken their hands of user generated content. Because that does not stroke with the fact that they are doing their best to control every aspect of PII within their systems and the systems of 3rd parties (vendors).
There is probably a good technical reason for this, because detecting PII in user generated content is really difficult. And in some extend, Atlassian is right for not touching this. However, they cannot have it both ways: either you want to fully control PII within your systems, or you create a legal structure in which you do not take any responsibility for PII leaving it solely with the Data Controller or Data Subject.
The strange legal mixup Atlassian has created for itself in combination with the practical implementation simply doesn’t make any sense from a GDPR perspective.