Am I reading this correctly? Their chosen cloud providers run the PCC stack on their hardware, so the compute provider is responsible for ensuring the privacy guarantees? I assume that would add to the potential security surface area.

Intel and Nvidia are responsible for enforcing their privacy features. The cloud operator (Google in this case) has no access to any data.

Yes, that seems to be the case, and is an evolution/deviation of the original PCC model, which relied on Apple Silicon exclusively.