The legal risks consist almost entirely of situations where there is reasonable cause to suspect that the applicant has been discriminated due to some protected characteristic. In these situations the hiring party is incentivized to maximally control information in order to minimize potential evidence. Feedback could act as legal ammunition for the benefit of the discriminated candidate.
Because hiring organisations gain very little from giving feedback and instead lose time, effort, and assume more risk when doing it; it's very common to forbid recruiters and interviewers from giving feedback entirely. Exaggerating the legal risks provides an effective explanation for doing this. The rule is typically absolute because otherwise recruiters may be tempted to give feedback out of niceness or a desire to help rejected candidates.
Also, Google's interpretation of the law is almost certainly made from Google's perspective and for Google's benefit — not from the perspective of what is the desired outcome of the law; or even more importantly, what is the underlying issue and how should we be trying to solve it to make the world better.
The Cremer document mixes two different types of whistleblower policies: protection and incentives. Protection is about trying to ensure that organisations do not disincentivize employees or other insiders from trying to address illegal/undesired activities of the organisation through for example threats or punishments. Whistleblower incentives are about incentivizing insiders to address illegal/undesired activities.
The recent EU whistleblowing directive for example is a rather complex piece of legislation that aims to protect whistleblowers from e.g. being fired by their employers in some situations.
The US SEC whistleblowing program on the other hand incentivizes whistleblowing by providing financial awards, some 10-30% of sanctions collected, for information that leads to significant findings. This policy, for the US, has a quickly estimated return of 5-10x through first order effects, and possibly many times that in second order effects through stopping fraud and reducing the expected value of fraud in general. The SEC gives several awards each month. A report about the program is available here for those interested.
Whistleblower protections tend to be more bureaucratic and are already covered by US and EU legislation to such an extent that improving them seems difficult. Whistleblower incentive mechanisms meanwhile seem much more worthwhile to investigate, because such a mechanism could be operated by a small centralized function without adding any new bureaucracy to existing organisations. I suspect that even a minimal whistleblower incentive* mechanism would reduce risks and increase trust within the EA diaspora by increasing the probability that we become aware of risky situations before they snowball into larger crises.
(*incentives here might not mean financial awards like in the SEC program, but something like helping the whistleblower find a new job, or taking the responsibility for investigating the information further instead of expecting the whistleblower to do it. I'd guess that most whistleblowing reports in EA, if any, would involve junior workers who are afraid of losing their income or status in the community, or simply do not have the energy, network, or skills to address the issue directly themselves.)