Per the spec[0], AMP pages must load the AMP runtime via a script tag that references a Google-controlled server, cdn.ampproject.org. This means you are handing over both your site security and your traffic logs to Google. This is a non-issue for the many sites that have already made that bargain (by using Google Analytics, Google Hosted Libraries, Google Fonts, etc.), but it is definitely an issue to some.
Great point. IMHO Regardless if you use GA or not, AMP will be a non-starter for any respectable developer who advocates for the open web for this reason.
I think you'd feel different if it was the government installing a tracker in every page. Because it's a company, you say, it's like any other company.
Some companies own so much of a user's online identity, I think it's time they stop growing. If Maps, Gmail and others were all separate companies and they were all competing for market share, I would have no trouble with them. As it is, I'm avoiding all of them whenever possible.
Companies are typically beholden to shareholders and customer reputation, which in this instance is pretty strong.
You could just as easily argue that it's better to have a few gatekeepers with a strong reputation for security than a proliferation of many gatekeepers with little history or reputation, because the latter increases your chances of showing up on haveibeenpwned.com.
Yeah they said something about open source on the main page. My first thought was "good marketing point, they probably have that legally covered and will force real FOSS to find a new name to differentiate".
Then I got to the guide or spec or something. Saw the CDN. Opened it. Bunch of minified horsecrap of course, with no mention of a non-minified version or how you can host it yourself. Suspicion confirmed.
[0]: https://www.ampproject.org/docs/reference/spec.html