Another thing: "they can do what they want with their data", I assume you're talking about the cloud provider? Because that remains to be seen; there are often EULA's put into place which means that both sides have a few restrictions to keep in mind.
I generally tends to avoid cloud services such as Google or Dropbox for privacy reasons. I don't trust their privacy policies ...
To a large extent, that's pointless paranoia.
If you are using the cloud just to store data (sort of the Dropbox, Amazon S3, Google GCS, or Microsoft Azure Storage), then you can store encrypted data, and you keep the encryption key. At that point, the cloud provider has no way to look at the content of your data. All they can do is destroy it, for example if you don't pay your bill. Ok, there are a few theoretical possibilities: they could tamper with it and modify it. Your decryption step will trivially detect that, if you include signature checking (some decryption software does that automatically, I don't know whether all do). And they can notice whether you are using a lot or a little storage right now, and do traffic analysis. That's like measuring when international tensions are rising, by measuring how much pizza gets ordered late at night by the pentagon.
So we don't need to worry about data at rest: it is reasonably secure.
By the way, if you think your data is more secure at home, think again. Remember the scandal when disk drives were found to contain spying firmware?
Now, if you also use the cloud to do processing, it gets more interesting. You can keep your data at rest encrypted (in the cloud), but to use it or write it, it will be decrypted. This happens inside a computer, which in the case of the cloud is a computer you are renting. That computer is built from off-the-shelf parts by the cloud provider. The smaller ones buy standard motherboards, the larger ones make their own motherboards. All use stock chips (CPUs from Intel/AMD/Arm..., memory from memory vendor du jour, IO from the standard sources). That computer runs the OS of your choice, perhaps with a virtualization layer underneath (you can rent both a physical computer and a virtualized computer in the cloud). The cloud provider can't become root on your machine ... they don't have that password, you do. They can't spy on your network traffic if you use all encrypted protocols (https for example).
And within the computer (within the motherboard), the stock chips don't have any loopholes that are not also present if the computer were at your house or business. So the only way they could spy on you would be to add explicit hardware to the motherboard, which looks at memory content or PCI bus traffic. And they would have to keep that completely secret, and do it without any performance impact (can't steal a cycle here or there), because otherwise performance measurement would reveal the spying. And note that the smaller cloud companies either use off-the-shelf hardware (motherboards, IO cards), while the larger ones use custom motherboards, but still have to outsource all chip manufacturing and board assembly. So adding a dedicated spying chip would be something that lots of people outside the company would know about, and would have to keep secret.
Now, if the cloud providers could do that, the standard motherboard makers could do that to. Oh wait, they have already been accused of doing that! Remember the scandals about Intel's service processor, and about Supermicro (made in China) motherboards that have hidden chips implanted by the Chinese agencies?
In reality, processing data at a cloud provider is roughly as secure or insecure as doing it on your own premises. In theory, you can make your own site more secure. The first step is to disconnect *ALL* network wires going in and out; the second step is to control all access by humans (including computer maintenance people), and making sure those humans don't bring any communication devices (cell phone) or storage devices (USB keys, paper, pencil) in or out. There are data centers that are run that way; they tend to exist at national security agencies, military, and nuclear labs. I've heard stories that involve marines at the door, sites where every sys admin has an assault rifle on his back, and places where visitors have to be followed at all times by a security guard who carries a big flashing red light to announce the presence of an outside. All this is in practice unachievable.
The real risk to data security is whether your system is well administered, and protected from the common viruses and attacks. Compared to that, the choice of whether to do the processing on-site or off-site is secondary.