What about iCloud? It used to be that a user could reset their password and then restore from iCloud backup on a new phone... Is this no longer true?

From what I can understand, if you wanted to hypothetically maximize your security, it would mean turning off iPhone backups.

Apple could also have it set that you must have the iPhone passphrase to restore a backup but obviously those can be "easily" brute forced (because for the restore to work, it must mean you can bypass the old device's UID)

You can still fully backup your phone through iTunes, if you want to avoid iCloud backups, until those get encrypted as well.