I raised exactly this possibility with them when they announced their new model. Their support would not engage with this even as a possibility. Just assertions that everything would be completely secure.
Getting access to this data is the holy grail for attackers - it is preposterous not to have a local-only or "saved on iCloud only" model. Clearly the only reason they removed this ability was the juicy, juicy subscription revenue, which requires them to hold the data.
They may have avoided a breach this time but have they previously been breached? Will they be breached in future? The possibility of each is non-zero.
Needless to say, I'm still using the older version and am planning how to transition once it stops working after an OS update.
The irony is that as a user since at least version 3, I would have easily kept paying a yearly subscription fee just for the same local+sync they had before centralizing. It’s clear that most tech businesses need stable recurring revenue in order to keep doing their best work.
They could have probably done an Amanda Palmer-style patreon (donations fund the ability to make all work public) for individuals/families and a straightforward high-cost enterprise subscription and been just as big if not bigger.
Getting access to this data is the holy grail for attackers - it is preposterous not to have a local-only or "saved on iCloud only" model. Clearly the only reason they removed this ability was the juicy, juicy subscription revenue, which requires them to hold the data.
They may have avoided a breach this time but have they previously been breached? Will they be breached in future? The possibility of each is non-zero.
Needless to say, I'm still using the older version and am planning how to transition once it stops working after an OS update.