Encryption

Web service privacy: how to prove its security? Open / spread the source code? And does it need to be done?

1. Let's say I created some abstract web service for many people around the world.
2. It provides User Registration. And also OAuth authorization, but not about it.
When registering, the user accepts the provision on the Security Policy.
2. Let's say the user can save his files / pictures or just text information on it. What he wished.
3. How can I prove that all files / user information is encrypted, let's say, by the password hash? And that this information is not copied anywhere in its original form, much less sent to third parties? And that I don’t store passwords, but only their hashes.
If I do not want to open the source code of the service, with encryption algorithms? Is everything based on trust? Until the service is hacked and proven otherwise?
Do you need to prove something to the user at all? Act according to the principle - the user himself decides whether to trust or not - he doesn’t want to, let him not go to the site and not register - but he wants to let him upload files at his own peril and risk?
How is it customary to act?