Woah, no. Sure escaping via a kernel bug or some issue in the container runtime is unexpected, but I “escape” containers all the time in my job because of configuration issues, poorly considered bind mounts, or the “contained” service itself ends up being designed to manage some things outside of the container.
Might be valid to not consider it with the services you run, but that reasoning is very wrong.
I wouldn’t be surprised if this is actually what happened here… tech companies in general don’t delete data if they can avoid it. I worked for companies that would just set
deleted = 1in the DB on delete calls. Google has more ability than anyone else to put that data to use