Passing a SOC2 audit (typically needed every year) requires each entity, let’s say Storj in this case, to prove their processes are secure. It is not enough to use encryption. How do they manage keys? Where are the vulnerabilities? Is there code tested prior to release? Is their system penetration tested annually by a competent 3rd party? Do they do background checks on their employees? Do they publish, internally, an org chart and keep it up to date? (And many other controls which require evidence.) Are their hosting sites (for satellites) secure and have a SOC2 audit annually? Is the code Storj writes tamper proof (where ever it is stored)? Do Storj employees and contractors have secure laptops/machines? If Storj cannot pass annual SOC2 Type 2 audits then it is really pointless to require SNOs to be more secure.
It is definitely not enough to run a server in a secure data center. Think about it, if you have a super secure data center, but the application is connected to the Internet and there is no security (application is poorly written) then the system as a whole is insecure.
The same applies for an SNO, is your system patched and properly secured? Who has access to the server you run? Can a malicious actor put a sniffer/keystroke logger on your system and capture your keys or inject their own software into your system causing some compromise?
Frankly, I think the more vulnerable systems are less about the SNOs but rather the Storj systems and employees who have more ability to compromise the customer’s data.