Ryan Pickren:

This vulnerability allowed malicious websites to masquerade as trusted websites when viewed on Desktop Safari (like on Mac computers) or Mobile Safari (like on iPhones or iPads). ​> Hackers could then use their fraudulent identity to invade users’ privacy. This worked because Apple lets users permanently save their security settings on a per-website basis. ​> If the malicious website wanted camera access, all it had to do was masquerade as a trusted video-conferencing website such as Skype or Zoom.

And:

I reported this bug to Apple in accordance with the Security Bounty Program rules and used BugPoC to give them a live demo. Apple considered this exploit to fall into the “Network Attack without User Interaction: Zero-Click Unauthorized Access to Sensitive Data” category and awarded me $75,000.

If this sort of thing concerns you, put a post-it over your Mac and Mac display cameras.