They could do so, yes, but it would pop up a message on your actual devices which you would have to agree to before that device can receive and decrypt new messages.
You still don't understand how this works. Apple can't complete the provisinig process alone - the user unlocking the keybag on the device with their password is an essential part of provisioning a device.
When a new device is added to the keybag, the other devices report the change - this isn't controlled by the server and isn't optional. Apple can control the transport infrastructure, but they cannot enrol new devices into the cryptographic session without the user being involved.