There is no architectural design where some covert team in Google can't exist to leak out data. After all the system needs to be able to let the user see their data. Unless they go open source, e2e encrypted, user managed keys and key backups, and user verification of client code. Which also means ad free.

That is very much not possible at Google. Attempting to do it covertly would trigger any number of alerts.

I don't think you understand how silo'd the workers are at a place like Google. Their physical plant security, as well. They do security like any other federal defense contractor would.

When you call in to Support at Google, you'll get someone who is a specialist in a certain thing, and they have access to only the tools and data necessary to do their particular job with your account. They rely on your disclosure of stuff to them. I often find myself uploading files to Drive, or images to Photos, and sharing them Public so that the Googler can follow a link.

As an anecdotal example, I've visited Waymo depots a couple of times. (Not actually Google, but a sister company under Alphabet.) The depot is completely nondescript, and I wouldn't have identified it if I didn't know what it was. There are a few Visitor parking spaces up front. And the front entrance leads to a Security Desk. The waiting room has about 4 chairs and a table of interesting design. The Security Guard will see you know. And there's a door beyond.

I was there to pick up "Lost & Found" items. You basically get the impression that security is tight as a drum. The guards can be kind of informal; there are employees circulating in and out; but ain't nobody going to exfiltrate a bunch of data, if they appreciate their freedom and civil rights.