When it comes to privacy and security, I think you should treat all cloud providers equally. Use a client with client-side encryption so that the only thing that touches the provider is encrypted data.
Rclone is an example of a good client that can do this, and can even mount your cloud storage as a filesystem with its encryption layer in between.
If your firewall can set outbound rules, and you can control DHCP on your network so that you can reliably know the TV’s IPv4 address, you can block the TV from reaching beyond the local network there with a “deny all from source address of TV” type rule.
If your router/firewall is handling IPv6 though, it gets a lot more complicated, since the TV could have any number of addresses that change often.