The rule of thumb would be to prefer the OBD data. The most secure data is the data that is never even exposed, and OBD exposes less than a smartphone does.
> I'm curious if anyone has reverse-engineered the actual data packets these dongles send.
Yes, but you don't even have to do that. The OBD protocol is readily available, so you can see what data is surfaced, and you should just assume that anything that can be read through OBD will be sent to the insurance company.
If you want to really see what data your particular car surfaces through OBD, OBD readers are very inexpensive and readily available. Pick one up and explore.
From my personal perspective, I can't imagine a circumstance where I'd be OK sharing any of this data at all, particularly not with insurance companies.