I see a problem with OStatus that, it seems, is also seen by others - it may not be user-friendly. When a deployment that uses OStatus shuts down/fails, that's it - the users are gone. And that seems like a dealbreaker.
As another mentioned, email has this issue. Email (smtp) is a federated system, much like http. Basically, we can all have our own clients, servers, and live on our own, but still interact as a whole. Just like ostatus powered websites. It then inherits all of these scenarios.
Users can be migrated, although it is easier if the identity is separated properly. Webfinger does exist to solve a lot of the migration headaches by allowing a well-known place to link all of your services to a common identity. You want to migrate? Just link to that new service. You then have to multicast some announcement, which is the hard part, and messy... but possible. Webfinger is usable from status.net, rstat.us etc etc... but they also allow you to host your identity with them.
Your privacy argument thus holds true for email as it is a pull system where your email can be read by any intermediary server. You solve this problem in both instances with keypair encryption. The problem is not a technical flaw (closed, centralized systems are opaque about your data, which can be seen as worse.) but rather a flaw in presenting and educating people to use secure practices if privacy is desired.
"I don’t have time for this, I’m shutting it down" should never happen. Don't use free services with no business model and don't provide free services with no business model. Even for your friends. It sounds harsh, but it's a lesson that people need to learn IMO.
I agree that DiSo apps need to have built-in continuous backups and migration support.