The iCloud security overview [1] says iCloud backups are encrypted "in transit" and "on server", but indeed doesn't say much about the encryption keys. There is "end-to-end encryption" on just a few items (iCloud keychain, WiFi passwords, etc.)
Maybe this is me being out of touch with modern deployment, but that is absolutely not what my impression of "on the server" means. My mental model is that of a client, whatever software is under my control, and a server, which is whatever my client connects to. "Encrypted on the server" then means that at no point is the plaintext data visible to any part of the server.
If Apple splits up the server into a web server and a storage server, then uses "encrypted on the server" to refer only to the storage server, that is entirely disingenuous.
There's a difference in encrypted data at rest vs. end-to-end client side encryption. Encrypted data at rest protects against stolen physical storage devices. Without access to decryption key stored on a separate machine, you're unable to read data on the storage device.
Encryption at rest doesn't protect users from the company, since the company has the decryption key. It protects your data if the company misplaces the storage drive.
It's common in corporate environments to check compliance boxes, which is why AWS offers encryption at rest:
True, but I read a big distinction between "encrypted at rest" and "encrypted on the server". Encrypted at rest has the implications that you state, being there to prevent somebody from walking off with a hard drive. Encrypted on the server implies that it is never unencrypted while on the server, and that any server-side computation is done solely through homomorphic encryption.
1. https://support.apple.com/en-us/HT202303