"But there is the option of encrypting a customer's data with their own key(s) in such a way that the cloud service never has access to said keys."
If this is just the customer using the service for storage, then yes. But the problems start when the service company is doing some processing. Think, for instance, of your pension company processing your data in the US. Or your employer using an online HR system there.