I worked in iCloud for the last 5 years before I left in 2026, in fact I wrote the mechanics behind "Hide My Email", which is gated through akd, the authkit daemon.

I had regular meetings with 'Privacy', and by that I mean the iCloud privacy team, the Engineering privacy team, and the Security privacy team. There are a lot of people whose job it is to see that Apple don't overstep the line regarding data-privacy, and if you're writing a proposal for a feature, getting signoff from Privacy is one of the checklist items before you'll get approval.

There is an inherent conflict between user-experience and data-privacy, because making users lives easier is often the less privacy-preserving choice, but I think Apple manages that judgement-call pretty well. I also know it hires people, a lot of people, who have veto power over feature-creep into areas that are privacy risks, sometimes to the extent that I looked on in disbelief, along the lines of "Ok, I have some keys, inside an owner-privileged data-vault[1], within which is an encrypted database acting as a temporary cache, which is created on user-login and destroyed on user logout, and you still want me to encrypt the individual keys inside the already-encrypted and access-restricted DB ? Really ? If data-vaults are broken, we have bigger problems than an email being discovered..."

[1] data-vaults, for the unaware, are kernel-enforced directories on the SSD that you need entitlements (rather than unix permissions) to access, which you won't have because only system-provided binaries from Apple will ever have them. It's how Apple Mail protects all your email, for example.