If you have advanced data protection enabled, Apple claims: “No one else can access your end-to-end encrypted data — not even Apple — and this data remains secure even in the case of a data breach in the cloud.”

https://support.apple.com/en-us/102651

Last time I onboarded a Mac (a few months ago), it would very explicitly ask if you want to enable support for remote FileVault unlocking.

That said, they could also roll out a small patch to a specific device to extract the keys. When you really want to be safe (and since you can be a called a 'left extremist' for moving your car out of the way, that now includes a lot of people), probably use Linux with LUKS.

Any American company will hand over data stored on their server (that they have access to) in response to a warrant.

Apple provides an optional encryption level (ADP) where they don't have a copy of your encryption key.

When Apple doesn't have the encryption key, they can't decrypt your data, so they can't provide a copy of the decrypted data in response to a warrant.

They explain the trade off during device setup: If Apple doesn't have a copy of the key, they can't help you if you should lose your copy of the key.

Except you’re not coerced (near enough forced?) to use an account password managed by MS on Apple. Until MS themselves publish, for home users, how to set up without an MS account, I’m considering it forced.

iCloud login is still optional on macOS. Can't download stuff from the App Store and I think some continuity things require iCloud, but otherwise pretty solid.