[bsder]

> That doesn't seem like a super meaningful statement, not least because it's both excessive and insufficient.

That's very disingenuous.

The "application server owner" has all the control. The "server owner" can transfer my repo, copy my PRs, inject their own PRs, and even lock me out.

If I control the server, it becomes VASTLY more difficult to impersonate me or inject a change without my permission or cooperation.

Sure, it can be done, but it will take far more than just a couple people of random employees typing for a couple minutes at a keyboard to pull it off. Someone will have to spend real money to usurp my DNS, set up another website, copy all the data (which they may or may not have full access to), etc.

The cost to compromise me is orders of magnitude higher if I control my own servers.

[yjftsjthsd-h]

It's not disingenuous, it's a difference in magnitude and threat model. Owning your server gives you things that a hosted offering doesn't, and fails to give you other things. That may be a good trade off, but it is a trade off (ops isn't nothing), and it's not an absolute, both of which mean that dismissive statements about owning your own servers are less than helpful.