> From a legal perspective, isn't the burden of communicating privacy to the customer on the website/content provider, not Stripe?

They get the burden, but they wouldn't be able to know about evil activities from the third party provider.

In the unlikely case where Stripe was a bad player, the customer would sue the website, the website would countersue Stripe