The question was not whether or not they might do it but whether or not they always did it. If a user is required to submit their encryption key to a third party for storage then the encryption solution is limited by their trust in the third party.