For some time now, we have been assessing the risks from a GDPR perspective when data (data-at-rest) in the Google Cloud is fully encrypted using native means. This means that we create both the KEK and the DEK completely with Google Cloud KMS and encrypt the storage buckets with it.
Also, we are not currently subject to any regulatory requirements that enforce separation based on CSEK or CMEK.
It would help me a lot if people could share their experience in this area.