It is a very good statement and would need to be very much part of the design.
I think the goal here would be the API is accessible through the Obsidian Sync service. So you have already opted in to your vault being stored in the cloud.
Second, since users can define their own encryption key, it would mean there are limitations about what could be read or written.