Today I downloaded a copy of my data from https://privacy.apple.com, Apple’s Data and Privacy website. (For some reason it took 5 days after my request for the data to be ready for download.) I highly recommend that you download your data too, because you might be shocked how much Apple has on you. Apple’s advertisement “What happens on your iPhone stays on your iPhone” appears to be a blatant lie.
First, I don’t even use passkeys! I’ve written about passkeys before and why I avoid them. Unfortunately, Apple’s passkey implementation requires iCloud Keychain. I don’t want to use anyone’s cloud service—not Apple’s, not Google’s, not 1Password’s—because I don’t want to place my credentials database under someone else’s control and because I don’t trust the availability and reliability of cloud sync.
It is very likely that this is what’s happening
“ This is not an iCloud backup. It’s “Apple ID account and device information”. Keep in mind that Apple is playing a dual role in this case, and you appear to be conflating the two. Of course Apple runs iCloud Keychain, which syncs client data including the private keys. But that’s supposed to be all end-to-end encrypted, including the metadata… But this is not any old passkey: it’s a passkey for apple.com. Apple is also playing the role of server to which the client authenticates. That’s entirely separate from iCloud Keychain client data.”
Apple is very clear on the metadata that is not E2EE, see this.
“You would think that in its role as server, Apple would have only the same client information as any other passkey server, e.g., Github.” That’s valid, but your apple ID is already associated with your device, so I don’t honestly see how it’s a problem for it passkey to be associated with it too.
Passwords and passkeys are E2EE even with standard data protection, and adp doesn’t affect apple ID info afaik, so I don’t think it will change anything