> Obviously "unfettered access to the device" is really useful to steal user keys while the device is unlocked, but it's not so helpful after the fact.
Exactly: the ability for Apple to send a specific user a different firmware update than they send everyone else is extremely brutal and there is absolutely no way the user (no matter how intelligent) could even tell that they were being targeted as the only person who has even remotely powerful access to the firmware being loaded is Apple themselves.
> This late in the game, how can that possibly give Apple user filesystem keys? Those require the PIN or password.
You just brute force this. On the iPhone 4 it took minutes to brute force a 4- digit PIN code, and clearly it wouldn't be a challenge to brute force a 6- digit PIN code (this is still less than a day). If the user has a password, it might take a while (depending on how good it is), but it is still a guaranteed attack. You can quibble with me on the definition of "unfettered", but I maintain that "will take (maybe) some time but almost no effort to get a 100% success rate, and which will complete almost certainly before the statute of limitations expires on the crime" is not usefully "fettered".
