It comes down to how you personally balance these risk profiles.
1. Local. Physically close to me most of the time, running on hardware I own, maintain, and keep secure. I am responsible for backups, detecting and dealing with corruption or attack. I can control all access to the data, and can easily prevent remote access by switching it off when not in use. Vulnerable if I get burgled, mugged, flooded, etc.
2. Cloud. In the hands of specialists outside my control. Their greater expertise and specialisation can mean technical security measures are higher, physical security MUCH higher. Resilient, fault tolerant storage. Vulnerable to the motivations of same specialists. Always online.
It is a balancing act between doing something yourself and paying someone else. The line is in different places for different people, based on their own expertise and how easily they extend trust.