Secure Enclave doesn't have to exist for the rest of the system to work as I described. (And once Secure Enclave does exist, it can be used to further secure the private keys generated after that date.)
Without Secure Enclave, remote parties (the servers) can't know where the key material came from. I'm assuming because old devices pre-SEP have to be supported, Beeper is exploiting this since there's no required residency or provenance attestation for the keys.