I think these are growing challenges internationally. Although Europe is now very clear on data protection and how you store anything that has identifiable data on an individual of any kind, there are similar laws in Australia, and most recently a law was passed in California which is expected to be picked up by other states in the United States of America.
There is a growing challenge and misunderstanding of the concept of cloud computing and what that means, because not all cloud computing = data held across the globe, it could just as easily be virtualised servers in a single location. The law in Europe at least is quite clear that there is no issue with cloud storage, you just have to identify which territory the data is hosted in.
The question that came up recently for me and a client was whether there was any benefit to cloud hosting over local servers. All their employees are within one location and have access to it. Without a remote workforce the purpose of cloud is understandably redundant from an access point of view, but the cost of physical drive space is still something to consider.
I don’t see anything wrong with well structured and designed storage directories locally and referencing the files within another platform.
To give an example there’s nothing saying you can’t have non PII data housed in a cloud platform such as Google Sheets, or Airtable et al with url references to local drives. They will not be accessible unless you have permission and are on the network. It’s also possible to encrypt those references if necessary too.