More than a pretty chip
The CPU that resides inside every iPhone 5s, dubbed the A7, contains all sorts of technological goodies. Among them is a special co-processor, dubbed the "secure enclave," that is designed to help provide iOS with an extra-secure area of memory.
Each enclave is primed with a unique digital identifier when it's manufactured. Not even Apple knows this number, which means that whatever information is stored in the enclave cannot be pried out of it without your explicit permission--even if a sophisticated hacker were to phisically steal your device.
The enclave also gets its own secure operating system, boots separately from the rest of the device, and uses a special technology to ensure that the software it is running was officially sanctioned by Apple. All communication with the enclave takes place in a securely encrypted area of memory, which is re-encrypted with a different key every time the device on which it resides boots.
All this paranoia is a good thing, because the enclave is used to store some of the most sensitive information that makes its way onto your device, such as the digital information required to unlock your iPhone with your fingerprints when you use Touch ID.
Keychain sync could probably withstand a nuclear attack
It seems that Apple designed iCloud Keychain so that it would be able to withstand just about everything short of nuclear winter--perhaps explaining why it took so long for the feature to return after it was discarded during the transition from MobileMe to iCloud. According to the whitepaper, you should be able to securely sync and recover your keys even if you reset your iCloud password, if your account is hacked, or if the iCloud system itself is compromised, either by an external entity or by an Apple employee.
To accomplish this feat, Apple uses a complex web of asymmetric digital keys and advanced elliptical encryption algorithms, coupled with manual controls (like activation codes that must be entered manually by the user on a device) to ensure that the company effectively never holds enough information to decrypt the contents of a keychain stored on its servers.
Interestingly, the engineers responsible for this feature have built a degree of selectivity into it, so that only data that is specially marked can actually be sent to the cloud. iOS makes use of this feature to keep some information that is device-specific, like VPN logins, out of the synchronization process, while other information, like website credentials and passwords, are allowed to go through.
All told, Apple's whitepaper paints the picture of a company that is--at least publicly--deeply committed to the security and privacy of its customers.
Of course, the actual veracity of Apple's claims depends to a large extent on the trust that its users place in the company, since we can't just waltz into its server facilities and ask--nay, demand--that we be shown the source code. Even though practically everything that flows through iCloud and Siri is encrypted end-to-end, there is still a possibility that the folks from Cupertino may maliciously tweak its services (or even its operating systems themselves) in such a way as to silently compromise our every email, our every call, and our every text message.