Fair enough, but actually your other point doesn't stand either because the prevailing understanding is that the keybag mechanism allows the clients to detect and report when another device is provisioned, and that the password is needed to join a new device to the keybag.
Therefore although Apple could add another device to the communication protocol, without the password another device cannot be added to the encryption session, or without alerting the end user.
Therefore although Apple could add another device to the communication protocol, without the password another device cannot be added to the encryption session, or without alerting the end user.