On a score of 1 to 10 safety/security, having either Apple or MS store my credit card, I would rank them 9. I'm sure Google is just as good, but since I don't pay for any google services, there's no reason to store my cc.
I would agree with that. Giving someone like Apple, MS or Google my card is not committing anything to the Devil. I would be way less comfortable giving it directly to an app provider.
In any event, I have an account with Revolut, an online-only bank in the UK. Its only purpose is internet transactions, and it only ever has enough money to pay for transactions and subscriptions. If I am making a one-off purchase, I just move the money from my main bank to Revolut. It takes seconds, so it's no big deal.
For me, that's just common sense. I don't want my main banking account disrupted by a cancelled card because of fraud, and it's not usable for any time. It also provides virtual one-time cards for those I am more wary of.
Looks like it will not be enabled by default.
Right approach. Opt in, not opt out.