My argument is that giving this information to customers who need it is different from publishing it openly to the whole internet. I think many companies treat public subprocessor lists as a default best practice without thinking enough about the security tradeoff.
Would be useful to hear from people who have handled enterprise security reviews, privacy reviews, or trust-center decisions.