I buy into the idea that trust should not be given to other entities unless it is necessary to function. Reducing our attack surface requires reducing and limiting trust as much as possible, regardless of threat models.
This is indeed true, and one of the reasons why I suggested for Purism to consider deploying a Tor hidden service to mirror their websites earlier in this thread. They could also just self-sign their certificate, but that usually gives off security warnings in browsers now.
Cheapest or not does not matter, considering a large amount of websites use Let’s Encrypt, which is free, enough that the EFF is already on its way to sunsetting HTTPS Everywhere due to how well Let’s Encrypt has been deployed across the Internet.
Purism uses Digital Ocean for their web hosting provider, which is based in the USA, at least for their main website.
https://hostadvice.com/tools/whois/#purismspc.com
Correct, which is why Purism also assemble their products themselves in the USA for their Librem 14, Liberty Phone, and Librem Key.
Ignoring Germany since it is not applicable, this situation with China is largely because Purism had to start somewhere over 4 years ago. Clearly they have been making enormous efforts recently to bring their manufacturing process into the USA. My speculation is that they intend to bootstrap to this instead, since it gives them a significantly more secure supply chain.
Trusting another entity only to deal with legal recourse against them later for your brand and clients could have been avoided in the first place if good judgement was exercised to begin with. I can at least appreciate that the Purism team has a firm stance on this matter, enough that they understand placing liability on another entity goes against their social purpose.