If you need to operate with minimal trust, you can use customer-supplied encryption keys (CSEKs), which enable you to maintain your own separate root of trust and push keys at time of use to Google Cloud via an API. Those keys are stored in RAM during the time required to perform the specific operation.

With CSEKs, the burden and responsibility of protecting and not losing keys falls to you. Google has no way to recover your data if your keys are inadvertently deleted or lost. It is very easy to get this wrong. So, if you use CSEKs, then you need to be exceedingly careful and must also invest in your own key distribution system to push keys to Google to match the rate of use in your applications.