You are overthinking this. If you have a VM running the controller, or a cloud key, on your internal network, you would need to VPN in to manage them remotely.
I'm not advocating that any enterprise use this service. I run a WAN with 4 local sites (on a MetroE MPLS network) and a remote office via a VPN tunnel. So this is not my first rodeo.
I would never use a cloud-based WiFi controller for the very reasons you specify, and that means that if I need to remotely manage Wifi while I'm out of the office, I'm using a VPN.
A lot of companies don't have the same security concerns. That's all I'm saying. And some for those who, say, manage wifi access intended for the public at multiple sites, like a Hotel or coffeeshop chain for example, this might be just the ticket. They don't have to setup and maintain a bunch of individual controllers, and can centralize everything in one console, and let someone else maintain the server it runs on.
Now you might not like that, but realize that this service is exactly that.
You might be comforted by the fact that a breach of the controller doesn't affect your internal networks.
...until you realize that having control over the controller means root access on all of your sites. So it shouldn't be that comforting.