The initial setup of macOS offers disk encryption by default, but also prompts the user to upload the FileVault recovery keys to iCloud. It’s more transparent than Windows, which, if I recall correctly, just silently encrypts the disk and uploads the key to Microsoft servers.
iCloud’s Advanced Data Protection (ADP) feature, which enables E2E encryption, does protect these recovery keys, but I would worry about them being copied elsewhere or retained in unprotected backups after ADP is enabled.
One would probably want to regenerate the FileVault encryption keys after enabling ADP and potentially fully disable uploading the recovery keys to iCloud.
Similarly, it is possible to disable uploading of the BitLocker decryption key in Windows with the Pro and Enterprise versions.
Personally, I doubt most users would use disk encryption if they had to keep track of the disk recovery keys on their own, so this provides meaningful protection against exfiltration of sensitive information if an adversary were to have brief physical access to the device or were to steal it, but it does no good at all for protecting against Microsoft, someone with deep access to Microsoft’s systems, or legal requests to Microsoft.
The same goes for Apple users who don’t have ADP enabled for their iCloud accounts or who have enabled ADP without later regenerating their FileVault keys. (I don’t think one can be reasonably sure that there will be no traces of the cleartext FileVault recovery key on Apple’s servers after ADP is enabled for iCloud.)
Ultimately, so many users should better engage a culture of privacy and security, think seriously about their threat models, and think about what would happen if one where to get access to their sensitive information.
Apple did add a new feature to iCloud called Advanced Data Protection, which enables E2E encryption on iCloud contents, which includes message and device backups.
After enabling this, it is likely prudent to regenerate FileVault keys. It’s also notable that for the initial setup of macOS, it does offer you to forego uploading the recovery key to iCloud, but selecting this option presents a warning stating that Apple will be unable to help you retrieve your data if you lose it. Thus, I am certain most Mac users just upload them to iCloud, which opens them up to exactly the same issue as in the article, but does help protect against thieves or adversaries with brief device access.
I have tried to convince Apple users I know to enable ADP, but I have been faced with the expected dismissal of it being unnecessary because they are not interesting, etc.
More people need to engage in a culture of security and privacy when it comes to their digital lives.
Edit: added missing word