It hasn't been released yet, but I can see two scenarios -
A. Apple could create a tunnel from your browser to your devices, they could have key exchange via the web after you scan a QR code shown on your web browser with your iPhone, with some sort of "verify these words are the same" scheme.
B. Apple does the typical OTP/2fa scheme where you enter a x-digit code from your device, and in doing so your Device furnishes a key to Apple to be temporarily used to access your files from the web.
But in both of these scenarios, Apple compromising you via malicious javascript is ever-present, so you're right in that you'd be trusting Apple even more to not store your temporary key for too long or at the request of a NSL.
A. Apple could create a tunnel from your browser to your devices, they could have key exchange via the web after you scan a QR code shown on your web browser with your iPhone, with some sort of "verify these words are the same" scheme.
B. Apple does the typical OTP/2fa scheme where you enter a x-digit code from your device, and in doing so your Device furnishes a key to Apple to be temporarily used to access your files from the web.
But in both of these scenarios, Apple compromising you via malicious javascript is ever-present, so you're right in that you'd be trusting Apple even more to not store your temporary key for too long or at the request of a NSL.