While I think it's a valid point I don't see this as a large issue for this platform: I think that many ML workloads do not require a fully-trusted environment as it's easy to verify the results after training by running the test set evaluation on a local machine. Also, many datasets can be transformed in a way such that they do not reveal much about the underlying data itself (e.g. by using one-hot encoding, removing feature labels, categorizing/tokenizing potentially sensitive fields like names, ...), alleviating data security concerns in many cases. Leakage/theft of your ML models/code might be a bigger concern here, though for many companies this might not be a large problem either as in my experience the models are often just slight modifications of "best practice" architectures.
Piling on/agreeing with you: The “magic smoke” isn’t the model, it’s the infrastructure the model plugs into, the data->feature pipeline, AND the model. Assuming you’be done the things you mention (and maybe with one additional assumption of several models operating at once), I would also consider the models themselves to USUALLY not be super super sensitive.
