Yeah there's basically two different levels of trust that we're talking about here:By that logic all vendors have the ability to spy and we should assume they all do. We can't verify any claims of what these vendors don't do.
The second, is what if the vendor is doing something sneaky they're not even telling you about? That's a valid question, and I am sure this happens all the time, where governments compel companies to do certain things, usually for high value targets where respect for the justice system gets thrown out the window. That I don't have any good advice on -- it's technically possible, and if you distrust the company so much that you think they might do that, then of course, as @The Cog in the Machine said, the wise thing to do is don't use their software at all.
But even focusing on the first one, there's some interesting implications, such as:
- In the USA, if a company owns this kind of records, they are legally required to respond to legal subpoenas for this information. Think of the times that FitBit data got used in murder trials, or Alexa voice recordings got used in court. Similarly, a court subpoena could easily ask "What URLs did MacDefender visit and what apps did he launch on this night?" if it's relevant to a case. As long as the company has a way of retrieving that data, they cannot easily turn down such a request.