A common misconception - parts of iCloud data are encrypted at rest, but a good chunk of it is not. They've indicated they want to get there at various points in the past, but unless I've missed an update it's not there currently.
The files are still encrypted at rest (using convergent encryption) to obscure their contents from the underlying storage service, but Apple holds the keys:
> Each file is broken into chunks and encrypted by iCloud using AES-128 and a key derived from each chunk’s contents that utilizes SHA-256. The keys and the file’s metadata are stored by Apple in the user’s iCloud account. The encrypted chunks of the file are stored, without any user-identifying information, using third-party storage services, such as S3 and Google Cloud Platform.
The Chinese government made Apple hand over control ofiCloud infrastructure in China to a Chinese company. So those encryption keys stored in iCloud are now in the hands of aChinese company subject to Chinese government control.
Not exactly an ideal arrangement, but it was likely that or switch off iCloud in China, or pull out of China completely. Which to be fair Google actually did.
Files encrypted at rest on Apple’s servers represents protection for Apple against external threats, not for the user.
These are security schemes that do not enhance the user’s privacy.
It’s cool that some companies are security conscious enough to do this, but for the user’s privacy remember that ... if it’s not end to end encrypted, it doesn’t matter for privacy, just for security and those two notions are very different ;-)
