It's encrypted at rest, but Apple has the decryption keys, and will give up your customer data when asked to by the government[1]. Also, iCloud photos are not encrypted[2].
They are encrypted at rest. This protects from someone hacking in to Apple, getting the data on disk but somehow not getting the keys, which Apple also possesses.
Apple (and thus, LEO) absolutely can look at your photos on iCloud. What you are missing is that "encrypted at rest" is essentially "not encrypted in any meaningful way".
According to the table on the second link iCloud Photos are encrypted on the server (at rest). Am I missing something?