It’s always your decision. That, in some ways, is part of the problem — because it is your responsibility to be able to judge risk of the companies and organizations that you engage with.
But here’s the thing about organizations with “a good reputation with others,” organizations change. A group that you feel comfortable giving your personal information to today could have an administrative turnover, a buyout, or simply different people in charge tomorrow — and those people may have entirely different desires, intents, and moral boundaries.
Making a decision based on “are they evil today” without concern for “could they be evil tomorrow” effectively assures that your personal information will be in the hands of people that you don’t want it to be in, sooner or later. That’s the thing.
Political architectures of all sorts evidence the exact same problem, really. Giving any organization more power because they agree with you today is no guarantee that tomorrow people that you don’t agree with won’t be in charge. How you consider that risk is a key part of risk assessment in your life in general.
My rule of thumb runs like this: if the worst possible person ended up in charge of that organization, would I still feel comfortable that there were enough checks, balances, and systems for me to disentangle myself from the risk they could provide, if I provide my personal information/support/power over my life/whatever to them?
If the answer is “no,” don’t do it. It’s really simple.