Another iMessage/iOS design flaw (in the context of its "end-to-end encryption") is that you can't disable iCloud sync for the messages alone. It's an all or nothing proposition. It would be good if in iOS 9.3 they'd allow iMessage sync to be disabled, or even better keep it disabled by default, even when you enable "iCloud sync" (it is after all supposed to be end-to-end encryption, not "end-to-end encryption with centralized storage in our cloud", at which point saying iMessage is E2E is just a misnomer).
Actualy I think that messages are only kept until all registrered devices (at reception time) get them. For instance if you register a new device to iCloud you never get previous messages (otherwise San Bernadino case is moot cause they could have access this history).
I think there is also an expiration time limit running from the moment the first device receive a message for the others devices to get the same message, but we are in undocumented territory about that AFAIK...
It's my understanding that iMessage encrypts messages using the public keys of all devices the recipient owns. The server would only store that ciphertext, which is useless without the private key only available to the recipient.
However once the message has been delivered onto the device, they're either stored in plaintext, or backed up in plaintext (with the backup itself being encrypted with a key Apple has)
In saying that... I'm now wondering why they aren't encrypting the messages using the passcode like other sensitive data. I guess so the backup can be restored onto another phone and have the messages persist.
The problem is iCloud Backup -- it really should work in a way which doesn't give Apple unlimited access. Yet, allow restore onto new devices, without requiring users memorize long passwords, and without a bunch of confusing options or steps for most users.
It's a fairly hard problem to do very well. What they do today isn't particularly close to "very well", so even some easy improvements could make it a lot better.
