@jared You are definitely thinking about the right things here and your understanding of OAuth2 basics is correct.
There is certainly a responsibility put on the user to determine what method of auth is right for them. Interestingly enough, Facebook actually offers additional security layers for auth, but I think most people aren’t aware of them (or don’t care 
)
Our backend is hosted on Google infrastructure, which sets a very high bar for both platform and physical security. We do not keep any keys alongside the encrypted data, which means that an intruder would need to compromise multiple pieces of the infrastructure to have a chance at compromising the data.
For those who want even more security, we also offer zero-knowledge encryption. You can encrypt the data within your storage with your own key, ensuring that only you can decrypt and access the data. https://www.odrive.com/features/encryption