I think I have some insight into this as I have an end to end encrypted cloud service called
coinlock.com
My slashvertisement on the subject was ignored though
;) millions in funding tends to get people noticed.
Anyway on this particular subject I think you have hit the nail on the head. The key to long term security is to completely open up the API and separate the client side components so that third parties can use te service with their own sotware or with the software that you have provided them directly on their local computer.
This is easier said than done for most services, but its something that I am striving towards and intend to do a full client auditable release as well as publish the public facing api. This idea that people can move their services outside of the country and it matters I think is very flawed. U.S. companies are subject to the law regardless of where they do their hosting, and the managment team is the weakest link in the security chain. This is something that is best solved by transparency.