Data breaches are common now, it seems like intrusions are more sophisticated, or security measures weaker. Security experts try to keep all systems safe, but security measures pass to the users in some cases.
Letting users protect themselves is ok-ish, but it needs to be in understandable terms. We cannot expect users to become security-savvy from one day to the next.
Historically, data breaches start from the inside, in other cases, from poor dev/product decisions.
Users expect that their information is protected. If that’s not the case and products cannot guarantee that, they should put it clear from signing up. Not hidden in the ToC page, make it visible and let the user take the decision.