I've seen this kind of situation go bad for companies having drives recovered in the past.
BUT NOT THE WAY YOU ARE WORRIED ABOUT.
What I have seen happen is that the recovery company makes an image of the drive as they recover the data or they dispose of the old drive after recovering the data to a new one.
What then happens is that in the chaos and confusion that occurs at some busy recovery companies the image or the old drive are not disposed of properly and a bad person finds them and mines them for personal data.
I have never encountered a recovery service that snoops in their customer's data and uses it for personal gain.
What you can do....
Be sure to let them know that you have personal data on there that you need kept secure and would they please be sure to properly erase or dispose of any copies after sending you back the recovered files.
That should protect you most of the time.
Personally, I would change any root passwords to public facing servers and any financial passwords stored in that spreadsheet but I keep those in my head and in a safe, not on any computer.
Hope this helps you feel more comfortable,