I honestly don't think it's that simple, and in fact I suspect it gets harder the bigger the company. They could have every intention, even a plan and an working implementation today to keep any data they collect out of the hands of a buyer or the government, and still have a very hard time ensuring it when the time comes. It does sound like @pc is actively committed to it though.

I don't think anyone's playing dumb. I am completely speculating, yet absolutely certain, that they have actually considered future scenarios for collected data, and I believe that there are legitimate reasons to still need to discuss this and other scenarios that come up with a legal team every time. If it's not clear why this can happen, it will become clear if/when you run a company.

It's true that not collecting any data is a foolproof way to guarantee it doesn't get into the wrong hands, but that's tying both arms behind your back in the online world, and it would mean in this case choosing to not train any fraud detecting neural networks. There could be an even bigger mob if Stripe knew how to prevent certain kinds of fraud and chose not to for ambiguous privacy reasons.