Either that, or they obtained the list of exposed passwords, hashed them with whatever hashing method they use, then compare hashes against the ones that you've got saved.
A match=Compromised password.
That's how I'd do it if I were trying to protect my users without infringing on their privacy.
"So it's best to assume whatever you hand to such a service is not controlled by you anymore."
I'm not sure how google hashes/encrypts those passwords, but obviously its not a one-way method. I reckon there's a chance that they use your google password (or another auth token) to encrypt your plaintext password, allowing you to decrypt it.
Again, we don't know, so we can't be sure.
Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.