> Only if the data is available in iCloud and it is stored in files and it is not encrypted.
Health data is available in there, just to go after your example. iPhone backups are also available in there.
At no point am I being asked anything else beyond my Apple ID, password, and two-step approval on another device (such as the Mac) to set up a new iPhone and download all my data.
Thus the outcome is that the Mac indeed has everything it needs to get access to all your iCloud data. In fact, reverse-engineering how to get it directly is unnecessary work - instead, just reverse-engineer enough to capture the Apple ID password (or prompt to it - given there's still no way for the user to tell a real system dialog from one drawn by malware) and approve the 2FA prompt, get an actual, real iPhone and sign into the person's account and then extract all the data from there (via screenshots if necessary).
Health data is available in there, just to go after your example. iPhone backups are also available in there.
At no point am I being asked anything else beyond my Apple ID, password, and two-step approval on another device (such as the Mac) to set up a new iPhone and download all my data.
Thus the outcome is that the Mac indeed has everything it needs to get access to all your iCloud data. In fact, reverse-engineering how to get it directly is unnecessary work - instead, just reverse-engineer enough to capture the Apple ID password (or prompt to it - given there's still no way for the user to tell a real system dialog from one drawn by malware) and approve the 2FA prompt, get an actual, real iPhone and sign into the person's account and then extract all the data from there (via screenshots if necessary).