Nope, its Apple servers. User devices don’t connect directly to Google

This is not entirely true. Additionally Apple proxies traffic to GCP but key management still resides on user devices.

If backup is enabled(which I guess it is as things are backed up), then the key is also shared with apple.

Wonder if they delegate the keystore to third party cloud services or that is one of those things they store in-house?

> This is not entirely true

You mean user devices may connect directly to Google storage? Did you observe it connecting to IPs in Google owned ASNs?