I had to switch from Render to Heroku a year or so ago because Render had no security documentation at all. I asked them about it at the time and was told security docs were perhaps six months out. There's still none, so it's clear that demonstrating security is not something that's a priority.
I agree we haven't focused on demonstrating security, but obviously, internally, we are quite paranoid about it. Still, this comment is well-deserved because as much as we'd like them to, our customers can't simply read our minds.
