There is no architectural design where some covert team in Google can't exist to leak out data. After all the system needs to be able to let the user see their data. Unless they go open source, e2e encrypted, user managed keys and key backups, and user verification of client code. Which also means ad free.