I think this is useful unless your threat model doesn’t contain supply chain attacks by non-Google actors (which would be a pretty absurd position to take, there are plenty of malicious actors out there, Google aren’t the only one!)
It clearly helps to mitigate against some threats, and so makes sense as a mitigation in your threat model.
I agree that you may still want a mitigation against Google acting maliciously, but that doesn’t make this pointless.
I don’t think that’s true.
I think this is useful unless your threat model doesn’t contain supply chain attacks by non-Google actors (which would be a pretty absurd position to take, there are plenty of malicious actors out there, Google aren’t the only one!)
It clearly helps to mitigate against some threats, and so makes sense as a mitigation in your threat model.
I agree that you may still want a mitigation against Google acting maliciously, but that doesn’t make this pointless.