Continuing to think about this, an analogy presents itself.
If I tell you a secret after getting your agreement that you
will not yourself tell anyone else, then I am trusting in
non-recursive disclosure, i.e., you break the chain and I
trust that you will not fail to do so.
If I place my execution or my storage in the hands of
others, then I am trusting in non-recursive propagation of
my code and/or my data. If the pinnacle goal of security
engineering is "No silent failure," then creating a
dependence on non-recursive exposure of execution or storage
is resolved either by blind trust or by a sufficient degree
of surveillability that prevents silent breaking of the
non-recursion constraint. But what would that be? Is this
a kind of supply chain argument that devolves to whether a
target is or is not big enough to sue? If I have proven,
workable recourse, then perhaps I can trust -- which is to
say I am able to then choose to take no additional,
proactive countermeasures. If I do not have proven,
workable recourse, then how can I prevent not just silent
failure but silent failure plus a clean getaway even
post-discovery?
Daniel Solove suggested that the greatest danger to privacy
is a blythe "I live a good life and have nothing to hide;"
so, in parallel, is not the greatest danger to data
integrity something of a parallel construction, something
like "No one would want to screw with my cloud, I'm just a
nobody"?
Thinking out loud; no need to answer,
--dan
+1