It's hard for anything but policy to protect against denial of service (legal attacks against the company). Even if you have technical security which prevents compromise of data, they can shut the business down.
CALEA means you are actually prevented from building/operating some kinds of privacy tech within the US (PSTN voice without wiretaps for sure, and PSTN-interconnected VOIP is a gray area; a mobile-focused VPN would be a gray area too, although not as dark as some.)
They do in that the organizations involved clearly dissociate themselves from running critical operational infrastructure, or getting involved with the potentially-illegal activities enabled by their tools.
If Tor Project ran a large number of Tor nodes directly, they'd be open to very simple legal attacks.
As a service provider you have to provide access to a fairly low percentage of data on your network under CALEA. But CALEA does not make end-to-end data protection illegal. You are not obligated to steal your customers' keys or access their endpoint equipment.
In practice, many operators do offer up access to 100% of their traffic, and to their endpoint devices to law enforcement and security agencies, but it's not a CALEA legal requirement.
CALEA means you are actually prevented from building/operating some kinds of privacy tech within the US (PSTN voice without wiretaps for sure, and PSTN-interconnected VOIP is a gray area; a mobile-focused VPN would be a gray area too, although not as dark as some.)