How do I know if Google keyboard input is safe for use?

Valid concern for both Android and iOS now that Apple has enabled third-party keyboard options there.

For Android, there are several security solutions with firewalls that enable you to cut off network access to particular applications, even if full network access is allowed in the permissions of those apps. Some require root access and I cannot personally attest to the efficacy of these applications, but several work with vanilla Android and are very well regarded. That said, "well regarded" doesn't mean secure—these apps pose the same threats as the ones you're trying to restrict. If it functions without root access, then—for reasons beyond my familiarity with the platform—they require full network access themselves. For apps that do require root access, they get root access which is even worse (and the act of rooting itself poses a significant security risk for that reason). I suppose it's a question of which entity you trust more: Google vs. a third-party developer. This can easily spiral into a debate over which entity would be most fearful of the law and bad press, but of course that is not sound as a sole consideration in the scope of information security; an attack prevented today is better than an attack today, justice served tomorrow.

Not the easiest task to remove Google connectivity from your phone altogether, and the keyboard isn't going to be the bottleneck in a hypothetical breach on their part. Notwithstanding, there are keyboards that require neither root access nor any network access at all, although the user experience may prove dissatisfying/insufficient for your purposes. You can try Keymonk Keyboard which does not require any network access, but judging by the reviews it probably would not work that well for your purposes. One other option is to use something like LastPass or DashLane which I believe act as input methods like a keyboard does. Something brewing with 1Password that is worth looking into: they will fill in passwords without use of the clipboard (clipboard sniffing is another valid concern of this same nature, perhaps an even greater threat at the moment). All of those apps I listed could have their own ulterior motives.

At the end of the day, trust is more or less a (sad) fact of comfortable smartphone use today, and it can be difficult to determine who deserves it/who will respect privacy/whose infringements are most benign.

With Android (and I believe iOS now), third party keyboards can be downloaded and used with other apps. Google has no way of enforcing that the third-party software is not recording your keystrokes during its operation. So as a way to cover themselves they give a blanket warning whenever the keyboard is changed.

This is why the warning explicitly tells you what app the keyboard is from. It ensures that you understand what input you're choosing, and double checks with the user that you're aware of the risks of a third-party keyboard application.

The work around comes down to know and trusting what application you're using for your keyboard. If you don't trust HackingYourKeyboardApp then I wouldn't suggest switching to that keyboard. If you're really curious you could perform some network analysis by using Wireshark to capture traffic from your phone. Google is most likely using SSL/TLS so you'll have to use something like Fiddler in order to see the plaintext traffic that is being sent out.

That can become a bit complicated so you might try using the Android emulator with Fiddler. It can be setup to use Fiddler and would just use your normal ethernet connection. Don't have to worry about pesky wireless protocols.

It obtains explicit consent because the phone does not know whether or not the keyboard sends data to anyone. So, it asks for that consent on any keyboard you download. It's almost certainly an anti-lawsuit disclaimer.

If you want to test for yourself whether the data goes anywhere, download Fiddler (on your desktop/laptop), point your phone at it and start doing some typing! You'll probably have to decode SSL by installing a certificate on your phone from Fiddler.

Though in reality, you can be reasonably sure that the apps are fine because someone else will have tested them. Naturally that's not guarantee, but it's "good enough" in most cases.