^ This. First time it happened I was a little confused, but once I realized what was happening I was ecstatic about it's implications for iCloud backup security.
It involves hardware security modules, cross-device crypto signing and other fun stuff. Apple cannot access the data they store about you on their servers.
From Apple's documentation:
Apple designed iCloud Keychain and Keychain Recovery so that a user’s passwords are still protected under the following conditions:
- A user’s iCloud account is compromised.
- iCloud is compromised by an external attacker or employee.
Note that the keychain security is a bit of an exception -- it's particularly strong, as it's protecting password data. (My favorite detail, not mentioned in the original white paper: To prevent the iCloud Keychain HSMs from being updated with a more lax policy, the smartcards that would have been required to update them were destroyed in a private ceremony involving a blender.)
Other data in iCloud is generally under less extreme levels of security. This isn't to say that it's insecure, merely that it's not as fanatically protected. Some of it may be accessible by resetting your account password.