> Yes this requires the trust that they in fact cannot decrypt it.
Yes, this is where it all breaks down. In the end, it all boils down to the company saying "trust us", and it's very clear that companies simply cannot be trusted with these sorts of things.
Yeah I wish there was a solution to that, even open source isn't a solution since it would be trivial for there to be a difference between what is running on the server and what is open source.
Ultimately you have to make a decision based on the companies actions and your own personal risk threshold with your own data.
In this particular case, we know that at the very least Google's track record on this is... basically non existent.
Yes, this is where it all breaks down. In the end, it all boils down to the company saying "trust us", and it's very clear that companies simply cannot be trusted with these sorts of things.