Encryption Question About iMessages in the Cloud

In MPU 436 , there’s a section on Messages in the Cloud (starting at 1:20:47). In that part of the show @katiefloyd says in reference to messages and OS 11.4 “So Apple encrypts the data so even it can’t decrypt it”.

I’d missed the details on 11.4 and it got me wondering so I read a few bits online that I could find and it seems that:

  1. All devices use iCloud to synchronise the messages. No iCloud, no sync.
  2. “Your data is protected with a key derived from information unique to your device, combined with your device passcode, which only you know.”

In order to decrypt a message held in the cloud on your device it must be encrypted from a decrypted form such that the particular device you are using can decrypt it.

iCloud isn’t a device or even if it was, there must be a key and as a user you aren’t holding it are you? Only the device and your passcode (plus two factor authentication).

So my question is, who holds the iCloud key now in the 11.4+ world? Is it still Apple? If so then Apple can decrypt your messages. If not, how does the decryption in iCloud for re-encryption for transmission to device work?