> Or will the iPhone have a multi-hour update where it decrypts its entire iCloud archive on the client-side, and then reuploads it without encryption?
More likely that the phone just sends the keys to Apple in that case
But that passphrase you saved is an additional key, in case you lose all your Apple devices for example. You can tell it isn’t required for your phone to decrypt data because you don’t have to type it in to access your data, or even migrate to a new phone.
And if they allow rescue contacts in case you lose the password and you can decrypt the data through their account, there is a chance they also keep a key for themselves, just in case.
If you got sensitive data, learn to encrypt it yourself. That is the ONLY way to make sure. If you trust another company to do the encryption at rest for you, that is your own fault.