@robb You raise some very good points.
I haven’t used Azure at all yet, so I cannot comment on what sort of encryption they may or may not have for the data.
I know that for GCP, you can turn on encryption but exactly what you can encrypt where - I am unsure.
For AWS, I know that there is encryption in-transit and encryption at rest and you can setup access to the EC2 Instance (AWS’s version of a VPS) so no-one can access it except for those who you give access too. I know for AWS, they do not have access to get inside an EC2 instance, so they cannot even monitor the memory utilisation without you installing specific software to do so.
In AWS, you can encrypt the EBS volume (AWS speak for the vdisk) and if you are using EFS (which you access using NFS) or AWS S3, you can enable encryption and the encryption keys can be managed by AWS’ KMS service.