If apple's primary concern for not offering icloud zero knowledge encryption was that people may lose their data through loss of key why do they offer exactly that option with their secure vault ?
It is expected that encrypted data will be lost when the key is lost, security comes at the price of convenience.
I disagree that this should be an opt-in choice for an encrypted online data storage service, the whole point of it being encrypted is to make sure it cannot be accessed without the key thus preventing the service provider from being a potential privacy breach point. In post-Snowden times where online privacy requires encryption, always-on encryption for a third party data storage service makes sense and caters to the growing demand for online privacy.
> why do they offer exactly that option with their secure vault?
You mean FileVault, their disk encryption? Time Machine backups are not encrypted by default. You have to opt in.
If you mean Keychain, their password manager, that's a good example of a high-security special case. And there are usually ways of resetting lost passwords so you may still survive the loss of your Keychain key.
This is not a matter of "convenience"... Apple does not want a million customers crying at the Genius Bar over the permanent loss of a lifetime of photo memories because they lost their key, ok? You have to design systems expecting that normal people will lose their key at least once in their life. Have you ever lost the keys to your home? For most people, if you offered to improve the security of their home at the cost of incinerating the house if they lose their key, that would not on balance be a good default setup. Maybe for their safety deposit box it would, and only in cases where they'd rather destroy the contents than let them get into the wrong hands. But certainly it's not a one-size-fits-all good default config in all cases.
It is expected that encrypted data will be lost when the key is lost, security comes at the price of convenience.
I disagree that this should be an opt-in choice for an encrypted online data storage service, the whole point of it being encrypted is to make sure it cannot be accessed without the key thus preventing the service provider from being a potential privacy breach point. In post-Snowden times where online privacy requires encryption, always-on encryption for a third party data storage service makes sense and caters to the growing demand for online privacy.