There's a difference between trusting Apple as a company and trusting random Apple retail employees. A rogue admin could try to extract user data from servers, but I expect Apple has at least some processes in place to prevent that. A rogue programmer could try to get malicious code shipping in an Apple OS or on their servers, but that would be risky and easy to get caught doing. On the other hand, a rogue retail employee given an unlocked phone would 'just' need to surreptitiously tap around a bit to copy data off. And they're paid a lot less anyway, which matters if your threat model isn't the NSA but random criminality.
