>I always found it kinda fishy if the party you're trying to protect against also provides the tools you use to protect yourself.
It actually makes perfect sense the company would want to provide the tools that protect you from them. Take Signal for example, it's a messaging app that does beautiful integration of E2EE into the message transfer product. It's much better than e.g. OTR-plugin developed by Goldberg, Borisov et. al. for Pidgin etc.
What matters is transparency: Does the company allow you to verify their native client does proper client-side encryption, and does that FOSS code have reproducible builds. If yes, then it's much better the company spends some of the revenue from sold space into developing and auditing the client and its cryptographic implementations.
I agree, it's not impossible for a storage provider to also provide trustworthy E2EE. I trust some of these providers as well.
It's just kind of a gut feeling that centralization of power (i.e. possession of the data and knowledge about and control of the encryption mechanism) makes such a service a more attractive target to compromise.
Of course, if you really wanted to get the data of a specific person all you'd have to compromise is the encryption funnel regardless of where the data is stored. But I'm thinking, distributing control over the storage and the encryption is gonna make it a lot harder to do that because there's no single party that knows about both other than you.
It actually makes perfect sense the company would want to provide the tools that protect you from them. Take Signal for example, it's a messaging app that does beautiful integration of E2EE into the message transfer product. It's much better than e.g. OTR-plugin developed by Goldberg, Borisov et. al. for Pidgin etc.
What matters is transparency: Does the company allow you to verify their native client does proper client-side encryption, and does that FOSS code have reproducible builds. If yes, then it's much better the company spends some of the revenue from sold space into developing and auditing the client and its cryptographic implementations.