I share that concern and completely understand. My only response to that concern, though, is that what you’re asking for is not possible without submitting the content in question to Apple and I would rather they not have it at all and therefore not even have the ability to go down that route.
It’s like a double airlock. If your content never leaves your device, there’s no way for them to provide it to someone upon request. It’s definitely a complicated situation but I have yet to see someone provide a solution for how to achieve what Apple has while never transferring your data to them in the first place.
> what you’re asking for is not possible without submitting the content in question to Apple
This unfortunately appears to be true, and part of me is impressed by [the idea of] the solution they've come up with. But, like I said in my first comment, it means in practice that I have an opaque and unaccountable surveillance program running on my personal physical hardware, which is undeniably an escalation. Whatever they claim it's doing is both completely unverifiable and probably complicated enough, and subject enough to change, that it's practically impossible to form a complete and persistently correct understanding of the attack surface it exposes—even if it were open-sourced and exhaustively documented, which it isn't and presumably never will be.
I am much more comfortable simply knowing that anything I upload to somebody else's servers is subject to snooping, and anything I keep on my hardware is not. That's how the other cloud storage providers do it, and I may not like it, but it's at least easy to account for when I'm thinking about my own data security and privacy. It's admirable that Apple tried to come up with something better, but (I'd argue) from certain important perspectives it's arguably worse.
Software is a chronic disease. Once you let it in, it never goes away, and changes beyond the scope of "fixes" seem to infallibly make it more intrusive and/or harmful. We are like frogs with many bodies, each being boiled in a different pot by a different chef. I have no interest in yet another unaccountable daemon inhabiting my private person.
While I agree, in principle, I think that cat's been out of the bag for a while. The government will continue to mandate things away from end-to-end encryption (they're already trying to pass bills to make it illegal) and this seems like the most reasonable solution I've seen thus far that still allows for end-to-end encryption while addressing the concerns of governments around the world. If you want what's on your device to stay on your device, I think you have to live in a place that doesn't exist - namely, a world without governments or the internet.
> If you want what's on your device to stay on your device, I think you have to live in a place that doesn't exist - namely, a world without governments or the internet.
This isn't true quite yet. It's pretty easy for me to keep some of my data truly private (e.g. on a secure Linux machine with an encrypted disk, if I'm really paranoid) while still participating in modern society, using the internet, and so on.
Apple has simply removed itself from the set of vendors whose products don't preclude uncompromised local data security.
//It’s like a double airlock. If your content never leaves your device, there’s no way for them to provide it to someone upon request.//
Except they just built themselves a way to get our data on our devices which very much does transfer our data.
It’s like a double airlock. If your content never leaves your device, there’s no way for them to provide it to someone upon request. It’s definitely a complicated situation but I have yet to see someone provide a solution for how to achieve what Apple has while never transferring your data to them in the first place.