The problem is that Googlers (like far too many tech companies) view data as being secure if outsiders can't get access to it. They don't count access by themselves as a security issue, even though it objectively is.
Googler here. I don't speak for Google and obviously shouldn't and won't divulge internals, but this just makes me cringe so hard: unauthorized or illegitimate access by staff is OBVIOUSLY treated as a security issue. I'm kind of shocked that folks would think otherwise.