If the machine is virtualized, such as is commonly called a VPS or Droplet, then yes it's possible for the hosting company (rogue employee, hack or "hack") to exfiltrate keys of all kinds. It is for this reason, I would recommend only a bare-metal install with full-disk encryption for hosting any of these things with real money, say more than a 0.01 BTC.

If you want to go higher security you would prepare the machine while in your possession and then send it for colocation. Higher still is to keep it under your or your company's physical control.

In general the lengths you go for security have to depend on your threat model and the value of what's being protected.