How do we know that one of the keys used for decryption doesn't belong Google
I can think of several schemes where one of the keys is a Google key. It can be done directly (N + 1 keys, where N is the number of users, and 1 google user) or with mathematics where you can derive Google's key using some Galois field math.
Google may claim it is doing for legal reasons. It reminds me of the Clipper system.