ANY antivirus tool can be instructed to spy on its customers.

It doesn't matter in which country the company or its customers reside.

Yes, if a US antivirus tool gets caught spying on US customers, and it wasn't ordered to do so by the USG, there would be legal ramifications. But does that really matter? Once the customer data has been stolen, its game over. There's no "undo" button for that.