#1 doesn't really help if you also want to use EC2, Lambda, etc.
#2 assumes that the US national security apparatus is playing by international law, which the EU may not want to assume. Like the EU cookie law, regardless of the intentions behind the ruling/law, what matters for me as a developer is what the law thinks I should do to protect my users, not what I think I should do.
Yeah, but there's unfortunately a difference between wanting to use Lambda and needing to use Lambda, and I'm pretty sure that even an EU court can tell the difference. "We hosted in America because only Amazon supports Lambda." "OK, and what does Lambda do?" "It runs code for us when we tell it to." "And there are no European services that run code for you when you tell them to?" "Uhh...."
My point was that when you're considering what technology/hosting/cloud provider to use, you are balancing a variety of factors and very few people should weigh "can be attacked legally by the US govt" with weight of 1.0 and all other factors with weight 0.0.
Some businesses will weigh the US risk as 0.1; others at 0.001 and even those that weigh it at 0.1 might be better off choosing a provider with a higher risk of that in exchange for a richer catalog of building block services.
#2 assumes that the US national security apparatus is playing by international law, which the EU may not want to assume. Like the EU cookie law, regardless of the intentions behind the ruling/law, what matters for me as a developer is what the law thinks I should do to protect my users, not what I think I should do.