Data is encrypted client-side, so even Mozilla can't read it. If someone hacks Mozilla, they could get your encrypted data, but without your passphrase, they won't be able to read it. On the downside, if you forget your passphrase, you won't be able to read your data either (you have to wipe your account and start over).
Are you sure? According to this: https://wiki.mozilla.org/Labs/Weave/Sync/1.1/Setup it says the passphrase you use is sent in the clear (over HTTPS) to mozilla every time you get the data. That implies that while the data may be stored encrypted client-side, it's decrypted or at least verified server-side.
There is absolutely no way for Mozilla to get your data, even if subpoenaed. And, if for some reason you still don't trust it, you can easily set it up on your own server.
The encryption key and the password are two separate tokens. The password is supplied by the user, while the encryption key is a randomly-generated 26-character string. (In some earlier versions of Firefox Sync, the key was also supplied by the user and was called a "secret phrase.")
