Apple silently uploads your passwords and keeps them
This is a follow-up to my blog post macOS Sonoma silently enabled iCloud Keychain despite my precautions from five months ago. The TL;DR of that blog post is that when you have iCloud enabled but not iCloud Keychain, updating from Ventura to Sonoma causes iCloud Keychain to be silently enabled. (I don't know yet whether that still occurs when updating from Sonoma to Sequoia.) What I didn't realize at the time, indeed didn't realize until now, is that iCloud Keychain already uploaded all of my passwords and kept them in iCloud even after I disabled iCloud Keychain.
Let me start with some background. My main machine with all of my personal data including passwords is a MacBook Pro, which is still running Sonoma. It's logged into iCloud, but I don't use iCloud for anything personal. The only reason I enable iCloud is to work on sync features in my apps for my customers. Also for development purposes, I have an iPad and a Mac mini with macOS Big Sur through Sequoia installed on separate APFS volumes. Both devices are used only for software testing and contain no personal data. Finally, I have an iPhone, which I've never actually logged into iCloud.
Today I was shocked to discover a bunch of my website passwords in Safari while booted into Sequoia on the Mac mini. There shouldn't be any personal data on the mini, and iCloud Keychain is disabled in its Sequoia volume. Incidentally, the reason I was looking at Safari passwords on the Mac mini is that I noticed on the MacBook Pro that Allow Automatic Passkey Upgrades was automatically, silently enabled in Safari, and I wanted to check whether that was also true on other devices.
