"Your overall security hygiene dramatically improves if most of your workloads are on a cloud,"
TL;DL - Shared responsibility model for all Public Cloud providers (CSP's):
CSP is responsible for the security OF the cloud
Customer is responsible for the security of workloads WITHIN the cloud.
If the vice president of security for Google Cloud said that, then perhaps the following link (to a PDF) might be essential reading:
https://services.google.com/fh/files/misc/gcp_pci_srm__apr_2019.pdf
From that PDF:
"Customers of GCP bear sole responsibility to meet their own PCI DSS compliance for these requirements"
is in contradiction with
"Your overall security hygiene dramatically improves if most of your workloads are on a cloud,"
Anon as I work for a vendor in public and private cloud infosec.
Biting the hand that feeds IT
