Yes I think you have to, to a extent the same also applies to dedicated servers. Even if you own a server that you place in a Colo, they can still pull your drives or plug in a KVM.

If you're data is sensitive encrypt it locally and send it. The reality is most people are running something like a website, API or a SAAS and basically just have to have a provider they trust somewhat and take reasonable security precautions themselves. Beyond that it's probably not as secure as it could be unless it's in a facility you own or control access to.