How can the photos be encrypted at rest where Apple can't access them? If I buy a new iPhone all of my iCloud photos show up on it. That means that Apple can access them somehow.
While photos aren’t end to end encrypted (at least today), the fact that they show up on a new phone isn’t proof that if non-encryption. E.g. keychain passwords and iMessage messages are end to end encrypted (except in iCloud backups) but show up when you buy a new phone.
(Caveat that if you have iCloud backup enabled - which it is by default, the backups aren't end-to-end encrypted. This feature is basically on the convenience side of convenience vs privacy / security - too many consumers would irretrievably lose their data if iCloud backup weren't enabled by default)