I think you misunderstand their suggestion. If you only gave service providers access to encrypted data (i.e. End-to-end encryption), then neither the service provider nor the leaker would be able to decrypt.
Whether or not that is a generally viable or desirable suggestion is a different question, but it is possible as demonstrated by Signal, Apple, etc.
There's only a limited number of things that can be done that way. Basically point-to-point messaging.
Most things aren't going to work with that model. Can Amazon ship you products without knowing what you ordered? Can you send and receive email on multiple devices without the provider having your email? Can you join public chat groups? Can you view your lab results without the lab having them?
And don't say "the lab can encrypt and send them to you". Your encryption key must be known to the lab, so they can provision a new device for you, in case you lose your phone.
Even the vaunted "WhatsApp and Signal" could actually read all your messages if they wanted to - they have your encryption key after all, all they need to do is deploy a version of their application that copies your messages to them.
> Can Amazon ship you products without knowing what you ordered
Well the whole point of not implicitly trusting third parties would be to remove Amazon from the equation altogether and instead be P2P with the shipper with just a protocol between us. If we need a third party, we can find another peer for that based on the intersection of our trust graphs. It doesn't have to be a global conglomerate with an IT department that we all have to trust implicitly. It could be Jimbob from down the road, who we both trust explicitly--this gets rid of high-value targets altogether.
Particl marketplace is pretty much this (no affiliation, I just like the idea).
Sure, I suppose there's still the possibility that the individual shipper was compromised, but like... Why? It's not exactly a juicy target. There would be no reason to really have a large database of addresses lying around. Print label, ship item, once receipt is acknowledged, delete address.
You replied to basically nothing I said, other than to say: It's better if everything is split up into smaller companies that are not interesting targets.
Nothing you said addressed the uselessness of encryption for this task.
PS. I hope you are aware that Amazon also sells things themselves, they are not just a shipper? And that even if Amazon sells for a 3rd party, you handle returns, etc, via Amazon? So even your singular example demonstrates exactly what I said: this idea would not work.
Not smaller companies. No companies. Individual people. That's a little different than "smaller".
As for returns and such, that's what the explicitly trusted third party is for: Jimbob. He can meditate disputes because both parties trust him in that domain (or they trust someone who...) Maybe that limits the scope somewhat, but global scale is overrated. Transitive trust ought to get you plenty far.
As for encryption, Jimbob need not know either address to fulfill his role. Encryption is for hiding such things from him (and from the operator of any nodes that are needed to for the protocol to function).
As for not having a design ready for every one of your examples. You've got me there. My point is merely that the space of solutions to these problems which do not require implicit trust of somebody's IT department is larger than you presume, and largely unexplored.
