This is an area that demands nuance. Simply saying "durrr, we shouldn't be doing any of these things, against anyone, ever!" is masochism. It's the sort of masochism that often leads to the country drifting towards the right, because centrists are by and large not interested in pursuing an anti-American agenda that demands we self-flagellate and remove ourself as a global power to remove even the *possibility* that said power could be abused.
Fight abuse. Don't fight tools. I'm someone who believes James Clapper should have been not merely fired but imprisoned for perjury, but that doesn't mean I'd support the wholesale destruction of our ability to use tradecraft in targeted ways.
1. This is a somewhat debatable point, but as long as they aren't actively weakening the code base this seems reasonable enough. This about more than merely being able to eavesdrop on Russian spies or destroy Iranian centrifuges; it's also about being able to monitor what other spy agencies are doing or attempt to do and it's about the confidence those spy agencies could have in their ability to do things undetected. If the CIA were required to openly disclose any zero day that it knew about (and if this were actually enforced), that would mean that if their Russian or Chinese counterparts ever stumbled on a new zero day, they would instantly know that the CIA was ignorant of this vulnerability. Thus, such a policy would put us as a significant disadvantage in not just intelligence, but also counterintelligence.