There is a significant difference though: If the bank takes money from your account, you notice it. If the file storage provider makes a copy of your file, you don't notice it. You'll never know how the file leaked.

(sure, the bank could perform other tricks behind your back, like doing bad investments with the money you put in, but hey they'll get bailed out anyway...)

I agree, but in a paranoid alternative world, the bank employees could share your bank account balance information with criminal organizations that would investigate you and your family, and one day kidnap you and take you or any of your family members, and ask for an amount of money they know you possess.. It's still a trust issue.

Right, hadn't thought about that, they could also leak information.

Luckily in the case of files you can easily do something about it, by encrypting them client-side or using a storage provider client that handles that for you.

The key idea is the very general principle that you increase security by reducing the scope of resources that you must trust.

cperciva is giving 2 examples: (1) use a service provider that doesn't require your trust. (2) limit the exposure of customer sensitive information to your employees that you must trust to keep it private.

I agree this is a better strategy than simply updating a privacy policy, as far as actual security is concerned.

It's worth noting that banks and similar organizations put safeguards, controls and extensive auditing on the data that limits the data tourism that any employee can engage in. You trust the organization because the organization knows that humans are fallible and essentially doesn't trust its own workers.