To me this seems outlandish (e.g. if you're part of PRISM you know what's happening and you're forced to comply.) But to think through this threat model, you're worried that the NSA will tap intra-DC traffic but not that it will try to install software or hardware on your hosts to spy traffic at the NIC level? I guess it would be harder to intercept and untangle traffic at the NIC level than intra-DC, but I'm not sure?

If you are concerned about this, how do you think you could protect against AWS etc allowing NSA to snoop on you from the hypervisor level?

Imaginary problems are the funnest to solve.