Good to know, hence my 95% certainty. Fortunately for me, each new device starts with DFU restore and installation of my own Configuration Profile which supervises the device, disable automatic pairing with new devices, disables useless apps like Game Center, and most importantly disables iCloud Backup entirely, etc.
I keep "optimized storage" turned off for Photos and back up directly from the filesystem. The photo library sits in $HOME/Pictures with all originals and the SQLite database intact - any regular backup solution works fine with this.
For Notes, I've migrated to Obsidian since I couldn't find a reliable backup method for Apple Notes.
Messages is tricky - I just screenshot anything important since it's so tightly integrated with Apple's ecosystem. Most of my important conversations happen on WhatsApp anyway, which lets me export anything I need to preserve.
For Apple Notes, you can technically export using Shortcuts with a loop for entire folders, but it's quite limited. From my experience, it doesn't work with locked/encrypted notes at all - just returns blank pages when you try to access those. That's one of the reasons I switched to Obsidian.
You could always sync and backup (make sure it has a password so that keychain data is stored in the backup) your iPhone to your Mac since the dawn of iPhone OS. You can still use iCloud sync for contacts and notes if you choose to for convenience, but I absolutely do not want iCloud backup.
Perhaps I should document it and link to it in detail but basically you use Apple Configurator to create a profile and set its restriction flags accordingly and keep it somewhere you can redeploy with ease and simply DFU restore the iOS device so that it gets the latest clean iOS image. After that you don’t activate it by going through the setup screen. Instead you use the connected Mac with Apple Configurator to “Prepare” the device and the computer activates it and pairs it with your “organization” public key and you can add the profiles you created in the previous steps to apply the configuration restrictions. It’s like having an enterprise MDM except you don’t need a server just the local profile is enough.
