Russian dolls.
Jokes aside, we now get to the nub of the matter. You can encrypt it at rest... and then you have to store the encryption key somewhere to allow you to use it. And if you use the data in the cloud, then the keys have to be stored somewhere in the cloud as well.
Client-side encryption can fix this, but you then have to have a means of distributing/generating the client side key, and we're back to the same old problem of signing the new key with something that you can trust on the Internet, which then makes the signing key vulnerable, (and of course, you can't process the data in the cloud!)
If you have it locked to one device, then sharing data is difficult, which negates many of the perceived benefits of the cloud. And you have to have some form of back-door, because devices can and do fail (and Apple appear to want to replace complete motherboard assemblies including the SSD storage if a device fails in warranty). So where do you secure your device storage in case of failure? Why, the cloud, of course!
Without some completely inviolate signing method, the cloud can never be completely secure.