I don't hear people making this argument at all. The original complaint is that Joplin is making a call to a Google server. This may have something to do with secrecy, but it has nothing to do with keeping the user's data private. The argument is simply that if you need that level of control over what your software does to external servers, then you need to be using some other kind of protection.
I think this is very true. It's fine to care about server calls to Google. It's not fine to equate this with the devs being irresponsible/deceitful and sharing user data.