I've always struggled with this. From one side, having production data is the best way to validate that your systems behave correctly, especially for input-intensive applications like APIs, chats, etc.
But having customer data in a developer's machine is dangerous. Is not only about developers stealing information. There are many other ways that customer data can get compromised: pasting it on a chat, on a support ticket, forwarding on an email, even getting the laptop stolen (this actually happened somewhere I worked at).
I think it's better to err on the side of caution and be extra careful. Either don't give your developers access to the customer data, or invest in proper deidentification. I recently went to a meetup where the founders of Tonic.ai talked about this topic extensively. They are building Tonic to make this process as cheap as possible. I haven't use it myself, but from the demos it looked promising.