There’s no hard evidence that you’ve put forward that you’ve been breached.
Not understanding every bit of traffic from your device with hundreds of services and dozens of apps running is not evidence of a breach.
Have you found unsigned/unauthorized software? Have you traced traffic to a known malware collection endpoint? Have you recovered artifacts from malware?
Strong claims require strong evidence imo and this isn’t it.
As mentioned elsewhere in this thread, traffic from each iOS app was traced via Charles Proxy, the endpoints allowlisted for normal behavior, and finally the app was offloaded so it could not generate any traffic from the device. Over time, this provided a baseline of known outbound traffic from the device, e.g. after provisioning a new device with a small number of trusted apps.
I agree with other posters that you seem to be capable of network level forensics, but you have said nothing to back up what you consider a device breach other than 'some cloud destined network traffic which disapears after a hard reset'.
In my experience of forensic reports, this link is tenuous at best and would not be considered evidence or even suspected breach based on that alone.
After a few years, bought the 2025 iPad Pro to see if MTE/eMTE would help, and it did.