I won’t be able to explain like you’re 5, because we’re deep into technical stuff. I’ll keep it brief.

Cloud Providers have figured out the best practices and make it easy to have them on by default. The front doors that hackers have to get through have been hardened due to relentless attacks from ever smarter hackers. Even when you get in the systems have checks and protections against accessing neighboring data. The data is encrypted at rest and the key is further encrypted and protected behind layers of checks. Even employees at those companies have more and more restrictions before they can even access the garbleled up encrypted data without the key needed to make sense of it all.

You, on the other hand, are indeed a smaller target, but you’ve got a very vulnerable computer with complete unrestricted access to the unencrypted data. A hacker can deploy a 0-day hack and lock your data out and ask for $5k of bitcoin so they’ll unlock it. The only way to protect yourself from online attacks on your PC is to never have your data online. Hard, but doable, however mostly useless as we move more of what we do online.

What is dangerous is a smaller company being overconfident that they can protect against hackers by their lonesome. Cloud Providers are really the only realistic option outside of only having your data on a computer that is never online and data you copy with a thumbdrive has extraordinary anti-virus checking on it before plugging it into your offline computer.