Comment by int_19h

They control the software running on your device, and said software ultimately has access to the encryption keys stored there (subject to the usual hoops; e.g. it might need you to do a FaceID unlock first, but it's not like you aren't already doing that many times every day).