I guess this eliminates a few options for bad actors: - brute force - phishing (users don't even know their public-private keys) - can't use application oauth identity to intercept because user creds are probably validated in apples servers

Still has some vulnerabilities though: - hack into iCloud keychain - it's been done before - malicious third party app that can retrieve public-private key pairs from device storage