Giving your data to a third party is a very difficult thing to do. Either their policies and heuristics are not perfect (like this article), they go under and you lose your data and service (probably not the case now with Apple) or they will be compelled by law to share your data with law enforcement.
Device Registration (name, address, email address, and telephone numbe, iCloud Apple ID)
Customer Service Records
iTunes (name, physical address, email address, and telephone number, purchase/download transactions and connections, update/re-download connections, and iTunes Match connections, iTunes subscriber information and connection logs with IP addresses, specific content purchased or downloaded).
Apple Retail Store Transactions (cash, credit/debit card, or gift card transactions, type of card, name of the purchaser, email address, date/time of the transaction, amount of the transaction, and store location, receipt number)
Apple Online Store Purchases (name, shipping address, telephone number, email address, product purchased, purchase amount)
iTunes Gift Cards (sixteen-digit alphanumeric code, nineteen-digit code, any purchases, name of the store, location, date, and time, user account
iCloud (music, photos, documents, iCloud email, encryption keys, Subscriber Information, iCloud feature connections, connection logs with IP addresses, Mail Logs, records of incoming and outgoing communications such as time, date, sender email addresses, and recipient email addresses, Email Content, Other iCloud Content, Photo Stream, Docs, Contacts, Calendars, Bookmarks, iOS Device Backups, stored photos, documents, contacts, calendars, bookmarks and iOS device backups, photos and videos in the users’ camera roll, device settings, app data, iMessage, SMS, and MMS messages and voicemail)
Find My iPhone (including connection logs
Other Available Device Information (MAC Address for Bluetooth, Ethernet, WiFi, or FireWire)
Requests for Apple Retail Store Surveillance Videos
Game Center (Connection logs with IP addresses, specific game(s) played)
iOS Device Activation (including upgrades the software, IP addresses, ICCID numbers, and other device identifiers)
Sign-on Logs (iTunes, iCloud, My Apple ID, and Apple Discussions, Connection logs with IP addresses, Sign-on transactional records)
My Apple ID and iForgot Logs (password reset actions, Connection logs with IP addresses)
FaceTime (logs when a FaceTime call invitation is initiated, content protected by 15 bits of entropy if secure enclave baked key is obtained from manufacturer)
According to Apple: "Extracting Data from Passcode Locked iOS Devices For all devices running iOS 8.0 and later versions, Apple will not perform iOS data extractions as data extraction tools are no longer effective. The files to be extracted are protected by an encryption key that is tied to the user’s passcode, which Apple does not possess. For iOS devices running iOS versions earlier than iOS 8.0, upon receipt of a valid search warrant issued upon a showing of probable cause, Apple can extract certain categories of active data from passcode locked iOS devices. Specifically, the user generated active files on an iOS device that are contained in Apple’s native apps and for which the data is not encrypted using the passcode (“user generated active files”), can be extracted and provided to law enforcement on external media. Apple can perform this data extraction process on iOS devices running iOS 4 through iOS 7. Please note the only categories of user generated active files that can be provided to law enforcement, pursuant to a valid search warrant, are: SMS, iMessage, MMS, photos, videos, contacts, audio recording, and call history."
But this blurb fails to mention that the user provided passcode can only be about 15 bits of user supplied entropy - the rest is provided by a hardware manufacturer that is also obligated by law to respond to legal request.
How difficult is it to configure this? Users should definitely choose passphrases of sufficient length and sufficient types to be secure. This is unfortunately an infamously tricky area of security to get right - and the password ought not be reused or used for the Apple Id login or anywhere else.
On this last issue, Apple has the reputation of being one of the best technology corporations. However according to their legal guidelines (http://images.apple.com/privacy/docs/legal-process-guideline...) they will and do give at least:
According to Apple: "Extracting Data from Passcode Locked iOS Devices For all devices running iOS 8.0 and later versions, Apple will not perform iOS data extractions as data extraction tools are no longer effective. The files to be extracted are protected by an encryption key that is tied to the user’s passcode, which Apple does not possess. For iOS devices running iOS versions earlier than iOS 8.0, upon receipt of a valid search warrant issued upon a showing of probable cause, Apple can extract certain categories of active data from passcode locked iOS devices. Specifically, the user generated active files on an iOS device that are contained in Apple’s native apps and for which the data is not encrypted using the passcode (“user generated active files”), can be extracted and provided to law enforcement on external media. Apple can perform this data extraction process on iOS devices running iOS 4 through iOS 7. Please note the only categories of user generated active files that can be provided to law enforcement, pursuant to a valid search warrant, are: SMS, iMessage, MMS, photos, videos, contacts, audio recording, and call history."But this blurb fails to mention that the user provided passcode can only be about 15 bits of user supplied entropy - the rest is provided by a hardware manufacturer that is also obligated by law to respond to legal request.