Which assumes the keys are stored in there and not `bundle/user-data/please-dont-read`...

For my part I don't trust PRISM partner Apple to secure anything from the government, enclave or not.

Were any of the companies listed on the PRISM slide consensual partners? My understanding is that the NSA tapped the internal network in an era where mTLS wasn't rolled out. Everyone then saw the slides and rolled out mTLS.

I'm quite sure NSA had at least one backup plan, provably more. It is also impossible to know how much of Apple's stance is just for show.

Sure. I would think that the NSA had plenty of insiders. So do other security agencies, probably. Background checks aren't that thorough against a state-level adversary. (This is one reason why big companies can't trust insiders. I guess small companies should be cautious as well, but sometimes you don't have the funding to protect against insiders and still do your actual work.)

I believe that some companies making layer two network encryption gear also got a big boost around the same time.

read "when google met wikileaks", tech giants are more than happy to help with national security

It's certainly not a good option. It's also one of the best options available on the market, save completely opting out of tech.

And a hardware implant will give the evil maid control over device I/O at minimum, likely the ability to read RAM too. All that's left is to exfiltrate over a prepaid SIM or something.