Admittedly I was asking this here primarily for small business suggestions– I certainly wouldn't expect a simple provider switch to pull the wool over the NSA's eyes. It's a silly thought for a business anyway, where the only people you might be trying to hide from are your competitors. As you said, for practical security Google's offerings are likely top notch and it gives me no qualms having some accounts with them. That being said, I think there's still room for someone to bring almost as much to the table security wise through focus and perhaps a tighter codebase, but beat them out for clear ("fair and decent") terms in regards to privacy and data handling.
Regarding Fastmail, as far as I can tell the new interface is one of the better ones around and it's a big help that they provide Yubikey authorization. I've been using Google Authenticator for a while now but in recommending it to others I've found people taking advantage of just about every opportunity to undermine its usefulness (i.e. backup codes not protected or used regularly when their phone is dead, disabling two-factor auth for a few days because they forgot their charger, or sharing app-specific keys...).
How do you know that you aren't some trivial but obscure SQL injectable HTTP POST away from losing all your mail on that provider? Because I gave you a reason to believe you don't have to worry about that on Google Mail.
First off, I can't really fathom why anyone (businesses!) wouldn't keep good offline backups of their email of all things. But it's a fair point– data loss isn't the only threat and Google is not lacking in engineering talent or money. Still, wouldn't their threats scale with their services and number of users? I don't care for any of the features that come with a Google account (really, just mail) but if an attacker found an exploit in any of the services attached to an account things wouldn't be so swell. To some degree the only reason I asked this question in the first place is because admittedly I cannot provide any specific counterargument to what you just stated. I was hoping others might, but I certainly appreciate your weighing in either way. If you really think that Google is the best way to go for practical security (do you use them for Matasano/Cryptopals/...?) then I'll keep them on the top of my list, but it's still out of my price range without significant restructuring. Perhaps I was too hopeful about finding the tarsnap of email or something. Ahh, well.
No? I didn't mean that they're just a bigger target. Are you saying there is no additional threat (whether XSS, HTTP, SQL or whatever) to the system when YouTube, Google+, Gmail, etc. are all being developed by different teams with different timelines etc? Of course they must have pretty sound security practices in addition to frequent coordinated reviews, but I can't imagine that makes things any easier.
Yes, I am saying that you are at vastly less risk of losing your data to an SQLI flaw on Google Mail than you are on some small competitor to Google Mail. I am saying exactly the thing you seem to be surprised I'm saying, and if you ask any 5 other software security practitioners the same question, at least 4 of them will say the same thing (I'd actually be surprised if 5 didn't).
Very well then. Practically speaking I'm much more concerned with spear-phishing on Google services than what we're discussing, but I'm glad you took the time to make your points. I won't hold my breath for them to introduce more flexible plans any time soon though... (As a sidebar, MS Office365 looks to be about the same thing, but not much different than Google on price/plans.)
Regarding Fastmail, as far as I can tell the new interface is one of the better ones around and it's a big help that they provide Yubikey authorization. I've been using Google Authenticator for a while now but in recommending it to others I've found people taking advantage of just about every opportunity to undermine its usefulness (i.e. backup codes not protected or used regularly when their phone is dead, disabling two-factor auth for a few days because they forgot their charger, or sharing app-specific keys...).