With that same logic in mind - we could say that anyone working at amazon AWS or Rackspace (or any other hosting companies) could gain access to your application.
The thing is we trust these companies to have processes in place so that their representatives won't have the ability to potentially do something destructive and if they can because they are the highest ranked rep and they need that kind of access - then at least auditing and training should be in place to avoid that kind of behavior.
SoftLayer still asks for admin/root passwords to your boxes in pretty much any support scenario. Their ticketing system actually has a field for it in the submission form.
If you omit it, the assigned tech will frequently ask for it. Always sends a little shiver down my spine.
The thing is we trust these companies to have processes in place so that their representatives won't have the ability to potentially do something destructive and if they can because they are the highest ranked rep and they need that kind of access - then at least auditing and training should be in place to avoid that kind of behavior.