Disclaimer: This only applies for users who might face a determined and advanced attacker. This is not intended for the average person!
Bit of context: Your iCloud Keychain (and everyt end-to-end encrypted iCloud service, as they all rely on Keychain) uses a service called „iCloud Keychain escrow service“ which safely provides you with a backup if you‘ve lost access to your trusted devices. This works as follows:
When you first set up your iPhone, the setup assistant will guide you through basic stuff like setting language, restoring from backup, etc. Also, it recommends login into your (or creating a new) Apple ID. After you log into your Apple account, the assistant will ask you for your iPhone passcode in order to safely transmit it to the cloud for the keychain escrow service. (I‘ll leave additional technical detail out, but if you‘re interested, read Apple‘s guide to platform security.) If you enter, your passcode gets transmitted to the backbone of the escrow service, the HSM(s). (HSM = Hardware Security Module, „servers“ specially designed for keeping secrets secret.)
If you lose access to your devices somewhere in the future. You can still access end-to-end encrypted password with the help of those HSMs. You authenticate yourself with Apple ID credentials and your device passcode. In return, the HSM gives you the encryption key for your encrypted data.
Now the important part: Apple claims to have destroyed the access keys for the firmware for the HSMs. So, in theory, no one has the possibility to change the behaviour of those Modules after first setup.
This claim can not be verified, and even if, there‘s another major problem: Apple can‘t update them if new vulnerabilites are discovered. (See the audit of Google‘s similar zero knowledge architecture. They‘ve found a critical vulnerability which allowed an attacker to brute force the device‘s lock PIN.)
Also important: Even if you disable iCloud Keychain on all devices, it‘s still active and your Escrow record is still online!
It is totally up on you to decide how you want to proceed. For most users, this isn‘t a problem as the resistance against an external attacker (and a few Apple employees) is incredibly high. But if your threat model includes Apple as a whole (for example because of a subpoena), you are not protected.
Please note that every end-to-end encrypted service won‘t be usable.
Have a great day!