A number of information sharing activities cannot be limited. This is typical of any bank or financial institution. Your bank has its own vendors, many of them are themselves SaaS and cloud hosted!
My point isn't to say "Why care at all? Just open the floodgates!" Instead, my point here is that trust and security in our society is only as good as the people and institutions that back them up. We don't use bank vault doors for our front doors just because we have the knowledge that anyone with simple tools can defeat a home lock.
Therefore, I think that the choice of more inconvenient solutions made just to avoid some nebulous what-if scenarios involving privacy is often (but not always) the wrong way to go.
A) They will have all of your financial information, as opposed to banks that will each get a slice. So the data they have is much more sensitive.
B) YNAB has around 100 employees in total. They do not have the resources to secure their data the way big banks do. We all have our doubts about security at big banks, but I am sure small startups are way worse.
C) It was all unnecessary for YNAB to go online. The decision, much like 1Password's was about money, not clients. I cannot live in this day and age without a bank account. I can live with an old version of YNAB. Heck, I can live even without YNAB. If banks are necessary evil, YNAB is an unnecessary one. Why increase your attack surface with unnecessary stuff, just because there is some necessary attack surface remaining?
Re. point C, I think everyone's use case is different but for an alternative perspective: it was absolutely necessary for YNAB to go online for me to buy it.
The mobile app is a really key use case for me, and even as a technical person I just can't be bothered to set up hacky sync via dropbox or expect my family to know how to do that. Even if I could be bothered, now I'm just kicking the responsibility to dropbox + myself with all the same problems. I'd rather have the app developers manage that responsibility.
Check out Chase's privacy policy as an example:
https://www.chase.com/digital/resources/privacy-security/pri...
A number of information sharing activities cannot be limited. This is typical of any bank or financial institution. Your bank has its own vendors, many of them are themselves SaaS and cloud hosted!
Even large, sophisticated banks can be hacked:
https://www.nytimes.com/2019/07/30/business/bank-hacks-capit...
My point isn't to say "Why care at all? Just open the floodgates!" Instead, my point here is that trust and security in our society is only as good as the people and institutions that back them up. We don't use bank vault doors for our front doors just because we have the knowledge that anyone with simple tools can defeat a home lock.
Therefore, I think that the choice of more inconvenient solutions made just to avoid some nebulous what-if scenarios involving privacy is often (but not always) the wrong way to go.