* As long as there is data, you can pretty much assume it's already exposed. All it took is one mental midget in a 10,000-person corporation to upload sensitive data to Dropbox "for convenience". Boom. Just like that. There goes the data. Totally exposed to the US surveillance state. It's probably with the Russians and Chinese as well.
* If you want no data exposure, there is only one viable solution: **The data should not exist in the first place.**
I don't see this concept talked about often if ever, but Monero folks seem to grasp it more than most (at least subconsciously).
(Of course there are exceptions, such as individual data on airgapped computer. Not my point.)