[asah]

This protects against remote rogue employees and intruders.

As for physical attacks, Google is ultra paranoid about physical access to DCs, and I think we can quickly agree that rogue employees and outsiders would have little chance of successful attack given the outrageous (and secret) methods that Google employs. Remember, this is one of the most-attacked organizations in the world, they've had decades (plural) to enact defenses and test them, and a successful attack would cost them over $10 billion - there's a virtually unlimited budget for physical defense. Circa 2020, I'd put Google's physical intrusion defenses up against most military installations.

[nitrogen]

Is there something special that happens when a legit remote cloud user logs in that doesn't happen when a rogue remote Google admin logs in? Something that prevents a modified web client from stealing the creds during a user's web console session?

[theevilsharpie]

SEV protects against physical attacks. A rogue admin logging in through a management console would have to go through whatever controls and auditing the console's access control functionality provides.

[frandroid]

> decades (plural)

Namely, two at most.

[Kye]

Is there a point of diminishing returns on experience for security? Two might be enough.