I wouldn't read too much into eBay purchases unless you expect smea to do all their shopping on eBay. All you can conclude is that they have looked at Cubic Ninja.
I believe that backed up saves on the system are locked by a per-system encryption so using them as an attack vector seems very unlikely... We know from smeagal that no special hardware is needed (so you don't need anything to write a save directly onto a game) which means the attack vector almost CERTAINLY has to be in a game that accesses the SD card directly.
There have already been a couple examples listed in the thread so those are all good ideas of what we're likely looking for.
A thing that should be noted is some work breaking into encrypted save data on the SD card has happened. Essentially you "prime" a program with some data it knows (examples are a completely black photo or an empty Pokemon box) and compare that to that data you want to know to get yourself the key. That probably only works in fairly simple cases though.
the game with the exploit is not on every eshop, but is on some
steel diver isn't on any though afaik
Last I checked Steel Diver was on the Japanese and European eShop (UK price £40). Is this another Nintendo Land* or NOA won't put it up (though to be fair when NOE put it up I was confused as you could easily find retail copies for far less than £40 at that point, maybe NOA thought there was no point putting up a $40 Steel Diver so did nothing).
But I think steel diver is an unlikely target.
*-Physical version got a price drop. NOA thought pulling eShop version was best course of action.