Some want more info then others. But keeping it internal by running something like BTCPay is still better.
I can't help but to think of Ledger in this situation. All it takes is one unknowledgeable or malicious employee to destroy your reputation forever. Ledger wasn't just affected by the Shopify breach. Their employees caused a similar incident themselves. Self-hosted or not, your data is still sitting on a server somewhere that could get hacked with enough motive and incentive. I agree that it's surely more rewarding attacking and breeching the defenses of a 3rd-party company, which handles such data by millions of customers than to attack one individual business.
There is one more nuance to this.
Sure; an individual business hosting everything themselves, may not notice a data breach quickly, may not communicate it to customers or if they do, customers may not read about it. These are the downsides. And I'd argue that it's more likely for a small business to fuck up some server configuration or have less tight security training of employees in non-technical fields like accounting and customer support (social engineering vector).
But hear me out: The most secure way to store data is not to store it. Or to store it for very limited amount of time.
With all the shortcomings of self-hosting mentioned above, it is also
much easier (and verifiable) to completely delete customer data when you host it yourself.