[lxgr]

The blind signing part runs locally on your VPN client.

> It's way too late for them to try and establish privacy credibility.

I personally don't think it's a good idea to trust any corporation to be a good or bad custodian of your personal data based on their public image or even past actions. These values can change very quickly, especially in publicly-traded corporations.

What matters much more than self-proclaimed statements or public perception are economic incentives, and I believe Google has quite strong incentives to not get hit by huge fines for violating the GDPR and other privacy regulations.