In order to decrypt anything, someone needs more than just your device screen lock passcode. Secure Enclave uses that as part of generating the encryption keys, but it also uses hardware information from your trusted devices (those Apple devices you have actively signed into iCloud with your 2FA enabled AppleID). So to decrypt anything someone needs to be able to restore your backup to one of your trusted devices and only then would your screen lock passcode grant them human readable access to the data.
So someone guessing your screen lock passcode and having access to your backup file is still sol without access to one of your trusted devices. Secure enclave’s algorithm for generating encryption keys needs a lot more input than merely the screen lock passcode. That comes up here often when people’s kids or someone else disable their device but they know their screen lock passcode and hope to recover their data. But that is impossible as the disablement of a device deletes the data encryption keys. Those were uniquely generated by Secure Enclave when the screen lock passcode was first set, but the algorithm uses device hardware ID information as well when generating the keys. Even when set up again with the same screen lock passcode, new, unique encryption keys would be generated.
Note from the article I linked, that things like messages are not recoverable via iCloud account recover: “If you forget your password or device passcode, iCloud Data Recovery Service can help you decrypt your data so you can regain access to your photos, notes, documents, device backups, and more. Data types that are protected by end-to-end encryption—such as your Keychain, Messages, Screen Time, and Health data—are not accessible via iCloud Data Recovery Service. Your device passcodes, which only you know, are required to decrypt and access them. Only you can access this information, and only on devices where you're signed in to iCloud.”
So ultimately access to end to end encrypted data is only possible on a persons own trusted device(s) which not even Apple has. So access is tied to securing both your device (screen lock passcode) and your AppleID (via the system of trusted devices established under the 2 factor authentication security system).
Personally, I just use messages in iCloud so my messages are the same across my 7 Apple devices. If I ever did need an archival backup of texts, I would spend the $30 or so bucks for some MacOS archival program like PhoneView and just archive those texts as txt or pdf files. Even iCloud backup is not an archival backup as it is incremental every day and does not keep all past copies like Time Machine does. So at most you can recovery messages from an iCloud backup from a couple or few days back, but no further.
P.S. I don’t claim to be an expert on Secure Enclave, nor how Apple has implemented its features with online security and AppleID 2FA or other changes over the years. But Apple’s commitment to data security and data privacy clearly includes integrating their offerings through both security of data on devices as well as data security for their online services and the transmission to and from devices and Apple online services. There is extensive, publicly available Apple developer documentation on Secure Enclave, but much if it is very technical. There is less public information for iCloud since that security is not something public developers get too deep an inside look at (for obvious reasons).
