That said: on account of size, targeting, procedures, and what I find are generally fairly diligent employees on the tech side (design, products, ads, and gov't rel'n are another story), you're probably as safe with Google as with any other large vendor.
That said, the basic problem here -- getting locked out of your account or profile, or allowing the wrong person in -- is a HYUUUGE problem. And the 2nd Amendment people can't do anything about it either, to continue the allusion....
I wrote of my own "I've been locked out of a Google account" account, well, twice. It's been pretty annoying (particularly as I'm paranoid and don't trust Google to know who I really am, because reasons). It's been resolved within a few days, though it leaves me scratching my head a bit.
As I noted the first time, and have adopted as a slogan for this type of event, "Who are you is the most expensive question in information technology. No matter how you get it wrong, you're fucked." See: https://redd.it/2w618r https://redd.it/3mo7l6
Unfortunately, that issue is paired with another, also sloganed and given to much use: Data are liability.
If you hold data about people, or state they consider important (e.g., a widely used codebase), or other elements, then you've got control point others may well find they wish to avail themselves of.
I don't have solutions to either of these problems (I'm paranoid, not narcissitically delusional). I can see the shapes of possible solutions, including reducing attack services and possibly having a more widely distributed and socially-integrated identity verification mechanism. Or offering far more services as stateless and without locally-maintained data, at least in cleartext.
Better notifications, recovery, and encryption methods for mail would also help -- capture of email accounts would matter far less if they were encrypted to keys held only by the user (and absolutely not on the control path involved in accessing or specifying them, such as MXs).
