That would be my assessment. Now the audit report is always scoped by the one buying it, and you can ‘carve out’ things you don’t want reported on, however a competent auditor will include that in their notes. So if I am reviewing a vendor’s SOC2 report and the auditor says, well we looked at their server and operations, but the source of the system [Storj] was not in scope, I would walk away and find a better vendor. My legal department would also insist on that as well, since enterprise legal departments are very risk averse concerning corporate data. IT Security/risk managers will always tell you, it is not a question whether a system will be hacked, but when it will be hacked and what is the consequence.
It is a mistake for Storj to think that SNOs are the weak link in the chain. A secure data center for SNO’s will be good for availability (reduce the risk of systems going offline).