After being asked personally a few times and reading claims by others a few more, I thought I'd set the record straight....
Working at Google does not give you access to the data of users!
It's an easy assumption to make. After all, most companies don't put internal access controls on data making it easy for every employee to access everything inside the firewall. Google does not work that way.
Though there are many groups at Google, we'll simplify it into Software Engineering ("SWE") and Site Reliability Engineering ("SRE"). I was the latter for 5 years and I've been the former for 3.
SWE, in general, has access to nothing. They run their code on their own workstations and sometimes test clusters with test data. A few get access to anonymized user data for their service -- more on that later.
SRE is the group that owns the keys to the kingdom. They're the group (actually many small groups) responsible for running Google services "in production". They almost always have access to anonymized user data for their service and the ability to access "raw" logs if necessary, again for only their service. The kicker is that, since around 2011, this latter access comes through a specific interface where you must explain with each request why you're doing this. All those actions are logged and those logs are audited. Misuse of the access will get you fired.
What is "misuse"? I can't even look up my own queries. I could be on-call for my service, have you on the phone fixing a problem with you saying, "go ahead" , and I still couldn't do it. In five years, I only used raw logs twice, both on myself during training just so we'd know how.
So, for any given service, there may be somewhere between 10 and 100 people worldwide who could potentially access Personally Identifiable Information ("PII") of a user, but doing so without a good reason would be the end of them at the company. And should that abusive employee somehow cause "material damage" to the company... I don't even want to speculate.
On top of that, any attempt to track a single user, whether the user can be identified personally or not, will also get you fired. Every user with any form of logs access has signed a paper (real paper, even) stating that they understand all this and the consequences.
This is serious stuff. My own team would turn me in without a second thought if I did any of this. And I'd do the same to them.
What are "anonymized" logs? They're the requests that have had all PII stripped. No IP address. No account identifier. No geo-locating finer than the city, etc.
Disclaimer: I work for Google (obviously). These thoughts are mine and mine alone. Mine, I tell you! Mine!!!