Does SaaS X/Cloud offer IAM capabilities? Or going further, do they dogfood their own access via the identity and access policies? If so, and you construct your own access policy, you have relative peace of mind.

If SaaS Y just says "Give me your data and it will be secure", that's where it gets suspect.