Fwiw, that's a clear statement - but only that.

There is no way for us, the users, to know wherever they have the capability to add additional keys to decrypt the data because the platform isn't open source and doesn't have attestation wrt what's actually serving the requests.

And it's worth remembering that apple had similar articles published before prism too which were ultimately proven to be groundless by prism.