Isn't that what "The Cloud" is all about?
If you work with Office365 then you are effectively working with a web application that's based in the cloud. There might be local storage at a company but its effectively just cached data.
I'm quite sure that the people who designed these products never intended for customer's data to be visible to the company, they just want to provide users with a useful product while incidentally locking them into their subscription business model. The fact that the traffic to their servers, even if encrypted, could give Microsoft an insight into a customer's business isn't central to Office but it could very well become so if there was a business case (or a government warrant) to do so. I'm just surprised that the EU's GDPR wasn't written with cloud applications in mind, it seems to be stuck in the era of floppies and PCs.
Personally, I regard cloud based applications with a lot of suspicion. Its not privacy that's uppermost but rather the idea that they assume a reliable, high speed, low latency network infrastructure -- there's just too many points where the system can fail leading you in the lurch, unable to do anything.
(I also don't get this penchant for shaking down - fining -- large corporations huge sums of money. If you allow your government to get into extortion on a large scale don't complain when they realize that it can be used effectively on a smaller scale. OK. Microsoft is big and bad, I'm no fan of that company and its products, but just turning a blind eye to this because 'they deserve it' or 'they can afford it' really isn't a good idea.)