Though since the Snowden leak Google really upped their game. Everything internally is encrypted in transit and at rest. Even when you use Google Cloud you automatically get encryption at rest.
It would take a very concerted effort. There are multiple levels of encryption and the best practice is that only verified builds can run in production and only non-humans are ACLd to access security keys. Any attempt to do so would be limited to a very small group of people, trivially logged, caught by AI for inappropriate behavior, and cause a firing.
Right but Google owns the encryption, which means I have to assume they are reading the messages. They changed their policy once, they can change it again.
