Most (US) companies don’t consider the US government to be a significant risk to their business, partly because they’re already subject to it.

They also commonly believe that Microsoft can secure these keys more effectively than they could do so in-house. And they’re probably right.

Now, it’s an entirely different story for any companies not subject to US law.