Needless to say, this is every bit a concern for me. I might as well make my threat analysis explicit.

Random untargeted Internet attacks: there are all sorts of unpleasant things out there on the Internet, just looking for the unpatched security nightmare of the various devices on your home network. For that, you need a firewall / NAT of some description, and preferably one that gets regular software updates from the vendor. I was entirely happy with my Apple gear until they end-of-lifed it, so it was clearly time to jump. Google WiFi auto-updates itself without me having to do anything. That seems nice.

Attacks against the router, itself: This has lately been a thing, particularly for routers with default passwords on their web interfaces. Attackers redirect your browser to then attack your router. To some extent, any router can be configured wrong, but Google seems to do the "secure by default" thing correctly. See also the auto-updates.

Evil vendor 1: data collection on everybody: In this weird modern world, where "if you're not the customer, you're the product", it's a completely realistic threat that your WiFi vendor might have it in for you. Certainly, ISPs do many variants of this (deep packet inspection, etc.). I'm modestly impressed by Google's public stances in opposition to this sort of thing. Of course, a significant fraction of my traffic is to and from Google servers, so they'll see that anyway. Much of the rest is encrypted (https or ssh). Also, needless to say, my ISP knows a ton of information about who I am and where I connect and I have to trust them, whether I want to or not. To me, the best tradeoff between technical complexity and privacy protection is running a good ad-blocker. I currently endorse uBlock Origin.

Evil vendor 2: man-in-the-middle attacks of various sorts on everybody: We see this mostly in the land of the evil ISP, doing things like injecting advertisements or extraneous cookies into web pages, or resolving failed DNS records to their own servers. Google and its customers are often the victim of this sort of attack. Also, if Google were to pull this crap, the uproar would be striking. And then I'd throw away my Google WiFi gear and buy something else.

Evil vendor 3: targeted attacks on me: This is the San Bernadino iPhone threat model, wherein the government wants to get into my router's firmware, and because the vendor does trusted boot / signed firmware, that requires the vendor to spin up a custom, signed firmware image, just for me. I'm at least modestly impressed that Google has made it hard for this sort of thing to happen without their explicit intervention, and knowing the people there, they'd go to court, just like Apple, to fight any order compelling them to produce signed malware.

Lastly, how about Google vs. startup-vendor-du-jour vs. cheapo routers you buy from Amazon: So far as I can tell, Google isn't doing this to make a ton of money, given how the Google WiFi is cheaper than its competition by a significant margin. Instead, they seem to be trying to make an engineering statement, raising the bar for everybody. The most obvious way you can see this is their use of USB-C for the charging port on the Google WiFi. You know that this increases the cost, yet they're doing it because, damnit, it's the future. My concern with the cheap routers is that their vendors won't properly support them (see, e.g., the FTC lawsuit against D-Link) and that, simply, they're not built to last. For a while, I was buying a new Netgear ADSL box once a year because they were burning out on me. The startups (Eero, also I'll put Unifi in this camp) are a bit harder to analyze. Since, pretty much by definition, a startup is still trying to find the exact business model to make them successful, you can imagine where they might want to change how they work over time. As mentioned earlier, Ooma (the VoIP people) are now trying to extend their VoIP adapter to also be your home router, and charge you monthly for the privilege. Should you trust them?