It also backs up the device's iMessage keys, to Apple via the network, automatically, using Apple keys. That's called key escrow.
The plaintext message content backup bypasses the end-to-end encryption entirely, providing the service-in-the-middle with complete plaintext.
Apple is the only "man in the middle" for iMessage - all encrypted iMessages transit their servers (using TLS, separate from the iMessage message encryption). Apple, via software changes, has gained possession of the user's iMessage key, and the message is no longer opaque to them when relaying it, and it is not end-to-end encrypted. The party in the middle (Apple) can read all of the messages, just as if it were two different TLS sessions to each user with no encrypted payload (the way most non-e2e messaging is implemented).
Alternately, if Apple, via software changes, has caused the plaintext message content to be relayed back to Apple post-decryption, it is no longer end-to-end encrypted, as the service in the middle is no longer zero-knowledge, and has come into possession of the plaintext.
If that's not a backdoor, I don't know what is.
EDIT: (responding to comment below, throttled)
> Messages in iCloud also uses end-to-end encryption. If you have iCloud Backup turned on, your backup includes a copy of the key protecting your Messages. This ensures you can recover your Messages if you lose access to iCloud Keychain and your trusted devices. When you turn off iCloud Backup, a new key is generated on your device to protect future messages and isn't stored by Apple.
So if you have "Messages in iCloud" enabled, it backs up your iMessage encryption key (Apple already has the ciphertext from the iMessage service). If you have "Messages in iCloud" disabled, it backs up the plaintext of the messages themselves from your device.
In both cases, Apple can read all of your iMessages, either because their software on your device gave them the key (iCloud Backup=on, Messages in iCloud=on), or because their software on your device gave them the plaintext (iCloud Backup=on, Messages in iCloud=off).
Is messages in iCloud on by default? I remember being asked.
Unless you are 100% certain that everyone you iMessage with has also done this, your conversations are still not reliably private.
Even then, Apple can silently inject additional escrowed wiretap keys into the keylist for one or both participants, although this is an active attack and can be detected by monitoring changes to the keylist for a given phone number or Apple ID provided by Apple's iMessage APIs.
What I was trying to say is that Apple is trying to make it as easy as possible for people to recover their messages, because this covers most peoples' threat models, which do not include protecting data from subpoena. Signal is great technology but the fact is it doesn't sync messages between devices because they haven't figured out how to do that in a way that's fully secure. This is a feature that tons of iPhone users want and are not willing to sacrifice for higher security. What am I missing?
But is this problem a problem just at the personal level? The big problem lies at a societal level. And does it then help that a few computer hackers are informed enough to make an important (and crippling) technical decision?
Is just conjecture about something they could do, or is there some evidence that they have done this?