And then you've got a country like the US introducing the CLOUD Act, which "allow federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil."

In other words: physical location isn't enough, the company's HQ being in the US is in itself already a massive risk.

The big American cloud companies are trying to get around this by offering their services via "independent" EU entities who aren't owned by the US company but still offer the exact same stack, but I bet most customers are just as unimpressed as I imagine US law enforcement is going to be.