Remember that the last fiasco was related to 2FA stores being stored unencrypted on google's backup cloud, namely google authenticator.

And yes, it's still pwnable this way, and happens regularly.

Everything in the cloud is not yours anymore, and you should always treat it like that.