Generally it seems that there are two types of people - those that trust encryption and those that trust themselves just a little bit more.
In lots of threads like these the same statements repeat, pretty much similar to this exact thread.
Some people place encryption as the root of trust and so trust that any local encryption is good enough - because if it's encrypted then it's safe to go anywhere...right?
Some prefer to only trust local encryption that doesn't go anywhere, e.g. not synced non-locally to a cloud service. They do trust encryption, but their own stewardship of it they trust a little bit more.
Logically, both must trust encryption of they wouldn't both use it, but one trusts the implementation a little less. That person generally trusts their own systems, setup, skills and self to provide an additional layer of 'feel good' security. They trust the security of their setup and its supply chain over that of a third party. They trust their own 'defence in depth'.
Functionally the two approaches are more similar than either will admit, because unless you can secure the entire 'system' from transistor to human, all the 'prefer local' user is doing is shifting the point of attack and not necessarily understanding their 'defence in depth' might not be as deep as they think.
Most 'prefer local' users will usually point out that the shift of the point of attack makes it harder to achieve. That may have some truth, it may also not. It may actually be that a third party security focused service with many dedicated employees who are paid well and operate round to the clock to monitor activity might have a greater 'defence in depth' and a subsequently greater chance of spotting or preventing a supply chain attack over a single individual spread across many tasks (such as living a normal life and administering their systems in spare time).
The discussion usually then descends into opinion and there it stays, like a plant in the shade, never producing any useful fruit to it's keepers.
Generally it seems that there are two types of people - those that trust encryption and those that trust themselves just a little bit more.
In lots of threads like these the same statements repeat, pretty much similar to this exact thread.
Some people place encryption as the root of trust and so trust that any local encryption is good enough - because if it's encrypted then it's safe to go anywhere...right?
Some prefer to only trust local encryption that doesn't go anywhere, e.g. not synced non-locally to a cloud service. They do trust encryption, but their own stewardship of it they trust a little bit more.
Logically, both must trust encryption of they wouldn't both use it, but one trusts the implementation a little less. That person generally trusts their own systems, setup, skills and self to provide an additional layer of 'feel good' security. They trust the security of their setup and its supply chain over that of a third party. They trust their own 'defence in depth'.
Functionally the two approaches are more similar than either will admit, because unless you can secure the entire 'system' from transistor to human, all the 'prefer local' user is doing is shifting the point of attack and not necessarily understanding their 'defence in depth' might not be as deep as they think.
Most 'prefer local' users will usually point out that the shift of the point of attack makes it harder to achieve. That may have some truth, it may also not. It may actually be that a third party security focused service with many dedicated employees who are paid well and operate round to the clock to monitor activity might have a greater 'defence in depth' and a subsequently greater chance of spotting or preventing a supply chain attack over a single individual spread across many tasks (such as living a normal life and administering their systems in spare time).
The discussion usually then descends into opinion and there it stays, like a plant in the shade, never producing any useful fruit to it's keepers.