Insecure is a curious word as it entangles with what is or isn't known, more than informs about design.

A different way to put it is GCP architecture has made different tradeoffs. For example favoring operability over confidentiality*, or scalability over integrity.

This makes sense from its mono-tenant engineering origins. Those were the right calls. Google exported SRE not SecEng.

Frankly, for most cloud customers, it's what they need.

---

* Take this break glass process. It arguably shouldn't be possible. If clients need their CSP to be "NSL proof", unable to leak corporate info responding to a national security letter (or any less obligatory rationale) without the corporation knowing, GCP is not their cloud. CSPs mostly consider it more difficult than it's worth to design a cloud offering that can be proven unable to provide a client's data. On the contrary, customers yell if CSP can't restore lost data, like Apple users yell if Apple can't restore iCloud. iCloud Advanced Security is what happens when you build clients the choice -- witness the warnings.

Support drives design choices, not security.