Yeah, I get what you're saying but it's only a SPoF in the sense it is one company. However, not knowing is a feature, not a bug. We shouldn't know.

For example, I work in G IT and our vendors have to be FedRamp compliant. To get that certification, some of their systems can't touch, certain people cannot interact among teams, etc. We get these sort of setups for non-critical data to boot. For critical data, it can get even more stringent.