What's funny about it is that apparently some of their WatchOS/device combos have FIPS 140-2 and FIPS 140-3 certifications. Pretty useless security theatre if you then shuffle the data around to other operating systems or into arbitrary servers with complex infrastructures.

Not if your API design is so bad that any third party can access them, apparently.

Aside from that, I'm pretty sure they'll also get stored on their servers, if you have not declined all the nagging iCloud sync requests.