If your worry is Google, as an organization, is actively trying to steal your stuff, that's one thing. If your worry is a rogue google employee is doing some unsanctioned thing, that's another. This (imo) mostly helps with the second, unless you also assume that Google as an organization is fairly inept and so can't log things reliably.
If the government is interested in something from my mail servers, I'll see the legal request or judges orders and will know what is going on, and will be able to take appropriate action.
If the government makes appropriate legal threats against Google, I won't necessarily know (National Security Letters) until long after the fact.
If your threat model includes the US government, then I would expect you would self-host anything sensitive. Even then, there's still the possibility that they could exploit some 0day they've been stockpiling, and root your servers without leaving a trail. Certainly harder than sticking Google with a gagged NSL, but possible.
But I don't think most people's threat model includes the US government. Probably not even most news organizations.
> If the government is interested in something from my mail servers, I'll see the legal request or judges orders and will know what is going on, and will be able to take appropriate action.
Or the mail servers of the person/people you're communicating with. At which point you wouldn't know, because they'd be subject to the same laws, and less well equipped to fight them.
I'd like to add an additional possible threat model that gets ignored pretty comprehensively and, in some cases, intentionally: Your data being fed to automated systems that provide summaries or derivative information based upon your data. People ignoring this is behind much of the NSAs snooping. They believe that until a HUMAN operator views the cleartext of some communication, the communication can not legally be said to have been 'intercepted' at all. And if you look up any statement ever made about reforms done at the NSA after Snowden's revelations, you will find that all of them, every single one, spoke exclusively about human analysts reading communications directly. They avoided addressing analysis, profiling, ML training, summarization, and other automated things very intentionally. The government has dropped a good many cases, serious cases involving child pornography even, to avoid ever testing this idea of theirs in court. We learned about this particular legal opinion of theirs (which would almost certainly never survive any court challenge at all) before Snowden even, back when the AT&T whistleblower came forward.
The likelihood a company like Google is reading your emails directly and trying to scoop your business on a product idea or something like that is slim. The likelihood they are profiling your communications in aggregate and producing derivative information like "how many companies in the space are considering hiring" or "do the employees at this company talk about Chipotle" and using that for advertising or data products is, I would guess, pretty high.
This is just a specific form of my "Google as an organization is out to get you (and willing to lie in their privacy policy)" threat. It may sound more reasonable to you, but its still the same set of actions.
We just had 2 incidents where both Facebook and Twitter broke their privacy policy by using phone numbers for ad targeting when they were only supposed to use them for 2FA & account recovery.
I wouldn’t trust a company with personal data while their main business model depends on violating your privacy, just like you wouldn’t trust an alcoholic with guarding a warehouse full of vodka.
The only way to be somewhat sure is to deal with companies that have zero uses for your personal data - this will not mitigate the risk of a malicious employee poking around but will at least mitigate the risk of large-scale data misuse like ad targeting because there’s simply no ads to target and no infrastructure to do so.
In this context, we're discussing gsuite, which doesn't use any data for ad targeting.
Edit: from the privacy policy:
> No. There are no ads in G Suite Services or Google Cloud Platform, and we have no plans to change this in the future. We do not scan for advertising purposes in Gmail or other G Suite services. Google does not collect or use data in G Suite services for advertising purposes.
We're talking about a company that makes the bulk of its money with ads, running a (supposedly ad-free) product on the same infrastructure that the ad-contaminated products run on.
There's both a risk of accidentally misusing data given the two services share infrastructure and code, as well as a business incentive to commit such "accidents", especially given both Facebook and Twitter set a precedent that there's absolutely no downside in doing so.
If your worry is Google, as an organization, is actively trying to steal your stuff, that's one thing. If your worry is a rogue google employee is doing some unsanctioned thing, that's another. This (imo) mostly helps with the second, unless you also assume that Google as an organization is fairly inept and so can't log things reliably.