> How do we know if random internet service sells our email / password pair? They probably store the hashed password because it's easier (libraries) than writing their own code, but they get it as cleartext every time we type it in.

For that, we can just use a unique password per service. That's not really a thing for code.

> How do we know if random internet service

Audits. Obviously not every service is going to be in a jurisdiction that proactively audits data processors and controllers. Another thing to consider before you hand over your data.