At least in Apple's case, they do not have the keys because it is encrypted by your devices and then uploaded.
It is then only able to be read by your devices because they have the keys to un-encrypt it.
The latest Apple platform security doc (fall 2019, available as pdf) does a half-decent job of explaining their key distribution mechanisms (iCloud Keychain, they call it) too. They are doing some pretty complicated stuff under the hood to support multiple devices (trust circles, they call it).
I just wish I could read the source code to make sure theory and practice are reasonably congruent.
I just wish I could read the source code to make sure theory and practice are reasonably congruent.