forget cloud, forget VPS. Always rent a discrete private little server on a rack, with a dedicated IP, with all of machine for your use, and test to make sure you are not "virtualized" and being lied to using low level tools.

this just happened this week with OpenVZ template for Debian 10 - and from the official source allegedly - meaning many providers were backdoored).

TRUE! shocking and true !

Vulnerability in Plesk SolusVM Debian 10 template - "debianuser" backdoor/default user:
https://www.lowendtalk.com/discussion/169685/vulnerability-in-solusvm-debian-10-template-debianuser-backdoor-default-user

From that :

Please check your servers for a debianuser user. If so, you're probably best off wiping the whole thing and restoring from backups.

Thousands of VPNs now hacked by the NSA paying a engineer cash to make a "mistake" in Plesk SolusVM Debian 10

Other hacks harder to find than that though. That was comically easy to explain away as a mistake.

Apples' subverted SSL source code is far more evil nation-state sabotage of code by the NSA paying apple engineer to delete a couple key lines of source code.