But since key management is out of your control or visibility, Apple can just add another key to your account on behalf of the government. They don't have to disclose the existing keys on your device. This gets them the messages going forward but not the ones from the past. So they'd have to do this for all Chinese customers ahead of time, rather than as a response to an inquiry.

Anything's possible if the vendor secretly collaborates with a government to insert vulnerabilities and lies about it. But what we're talking about here is, given the way Apple has publicly declared how the system works[1], what can a government do with full server access.

Apple states "All of the user’s registered devices display an alert message when a new device, phone number, or email address is added." So no, it's not correct to say key management is out of your visibility.

[1] https://www.apple.com/business/site/docs/iOS_Security_Guide....

Your messages are stored on iCloud, right?

Yes but they are now E2E encrypted. Apple rolled out "Messages in iCloud" recently which preserves E2E encryption and excludes messages from regular (not E2E encrypted) iCloud backups.

Only if you enable this feature.

Its enabled by default. iCloud backups are automatically opted in since iOS 9.

Backing up messages to iCloud is not on by default. iPhone will ask you if you want to enable it.