But iCloud is not fully encrypted by default.

Could you elaborate?

iCloud Advanced Data Protection (the feature that TFA is referring to) is required for E2EE, and it is not enabled by default.

https://en.wikipedia.org/wiki/ICloud#Advanced_Data_Protectio...

> On December 7, 2022, Apple announced Advanced Data Protection for iCloud, an option to enable end-to-end encryption for almost all iCloud data including Backups, Notes, Photos, and more. The only data classes that are ineligible for Advanced Data Protection are Mail, Contacts, and Calendars, in order to preserve the ability to sync third-party clients with IMAP, CardDAV or CalDAV.

But they can store the traffic and decrypt it later, if feasible.

^ this and remember kids. Data processing does not require a warrant.

> if the target uses iCloud backup, the encryption keys should also be provided with content return

https://s3.documentcloud.org/documents/21114562/jan-2021-fbi...

That is from before opt-in end-to-end encryption was added for iCloud backups.

Does Apple have any better proof than a whitepaper that they don't backup the keys anyways?

Several people have reverse engineered the protocol and clients. None have found any evidence that the keys are backed up anywhere as far as I know.

which you can verify because everthing is proprietary so it just there usual marketing play