Personally, I think the current state of things is such that neither is truly feasible, although the former is more feasible.
Not that feasibility is the sole factor.
I recently said this in another post:
If you send unencrypted data to a server, you are fully reliant on not only their willingness to protect your data, but their ability and competence to do so.
So:
On the “individual responsibility” side of things, seems like people should A: be made aware of the dangers of how their data can be handled and B: willingly choose if it’s worth taking the risk.
On the one hand, a democratically enforced policy that ensures big tech doesn’t do malicious things with our data seems important. On the other hand, even if a tech company or start up wants to handle your data securely, that doesn’t mean they have the bullet proof competence to do so. Everyone gets hacked.
First and foremost, data self custody is a right that should not be infringed. If a person encrypts their own data, they should never be forced to give up the key.
Beyond that, my gut says individual responsibility is where the buck ultimately stops.
And yes, I think that means most people should put significantly less into the internet and web applications.
So much of the internet is a mistake.