[asgrdz]

If it rains it gets wet outside. But if it's wet outside does not mean it's rained. This is an example of a recurring case where snakeoil and dishonest companies use this seemingly obvious logic puzzle, because people in general are bad at logic.

To answer your question directly. TLS encryption from your phone to apple's servers means they terminate encryption at the other end when they receive your data. This means "they decrypt the information that was in transit". Then they explicitly apply another encryption to the received and decrypted data before storing it on disk. Since these are two separate steps, you have no protection what-so-ever since apple will have a registry of all decryption keys for the disk backups that they'll happily use for whatever reason when they want to get hold of your data.

The only thing their disk encryption protects against is if someone were to walk away with the physical disks. It protects squat against the threats customers actually care about (unauthorized access to the data by someone other than the customer owning that data).

And seeing as they run on AWS, physical security means that the only way metal leaves the data center is if it's in millimeter sized shredded metal grain. So the threat model of concern here is exactly what apple has decided not to provide customers any protection against.