From my perspective, your threat model is strange.
I'm most concerned with (1) the device and the OS preventing me from accidentally installing malware in the App Store, (2) preventing drive-by malware from the web browser, (3) secure against physical tampering. High assurance authentication (Touch ID, Face ID, etc) is nice, although the account+device registration+provisioning does prevent me from being anonymous to my phone manufacturer+provider, but I have no expectation of that on a smart phone anyway. If I needed anonymity, I would prefer a prepaid burner be a feature phone with no apps at all.
I don't use iCloud because I don't think it fits within my current threat model. That which is synced to Apple servers (beyond my account/authentication info) is banal stuff. If I needed a more secure communication system, I would use an app specifically designed for it and not owned by an Apple/Facebook, although I'm not sure any lawful company can resist something like a National Security Letter. The best policy is simply not to hand over the content, so it's not subject to the Third Party Doctrine (as flawed as it is).
If a nation-state is attacking me, the best option I have is not to have a listening and tracking device on me all the time and probably to use offline-only devices.
From my perspective, your threat model is strange.
I'm most concerned with (1) the device and the OS preventing me from accidentally installing malware in the App Store, (2) preventing drive-by malware from the web browser, (3) secure against physical tampering. High assurance authentication (Touch ID, Face ID, etc) is nice, although the account+device registration+provisioning does prevent me from being anonymous to my phone manufacturer+provider, but I have no expectation of that on a smart phone anyway. If I needed anonymity, I would prefer a prepaid burner be a feature phone with no apps at all.
I don't use iCloud because I don't think it fits within my current threat model. That which is synced to Apple servers (beyond my account/authentication info) is banal stuff. If I needed a more secure communication system, I would use an app specifically designed for it and not owned by an Apple/Facebook, although I'm not sure any lawful company can resist something like a National Security Letter. The best policy is simply not to hand over the content, so it's not subject to the Third Party Doctrine (as flawed as it is).
If a nation-state is attacking me, the best option I have is not to have a listening and tracking device on me all the time and probably to use offline-only devices.