Let's say 14 Eyes instead of 5 Eyes, since that jurisdictional issue extends to those countries in most ways as well :)
Finland, Seychelles, Romania, San Marino all have pretty good privacy laws, yet some of them are still listed as 3rd party nations due to their association w/NATO.
Even a business based in a 5 Eyes (perhaps 14 Eyes) country may be subject to compliance with Intelligence agencies even if their physical infrastructure assets are located outside of this sphere.
Security is relative, so the first question one needs to ask is, "What is it that is occurring on the machinery or network that needs to be safeguarded?"
For example, Finland has great privacy laws, but blocking/filtering Pr0n is an option for providers in that country.
Germany (a 14 Eyes nation), is quite strict with software piracy and copyright infringement.
Romania, purportedly has very strong privacy laws and favored by many, but it's also not really a friendly place for pr0n. Romania also rejects EU regulations to the contrary of their own privacy regulations as unlawful.
A lot of people like Switzerland and The Netherlands, but the latter falls squarely within the 9 Eyes layer of the lasagna.
Again, it's important to check the country of registration of the provider too.
I like to examine exactly what it is that the customer does or is looking to do, and then make determinations upon that and other information I have for them.
Most folks having, nothing to worry about other than which country they want their IP addy's originating from for the television programming they're interested in, or perhaps some cryptocurrency accounts or other VoIP or banking activities.
Very few domestic terrorists exist in comparison to folks who are either just paranoid or insist on their right to privacy as a matter of principle, and if I ever had a customer that I found was some kind of terroristic miscreant I would likely save the government the court costs and simply dispatch them to Valhalla myself.