Comment by kbolino

The keys are stored only in the Secure Enclave. Encryption and decryption are handled outside the standard CPU and OS. This is hardware-level protection, not just some flag on a cloud account to be flipped. The only way for Apple to break this system is to break it for everyone, since anything else would risk bleed over or insufficient compliance.