"Or it’s possible that they have information that you don’t. "
Ahh, the old, "It's not impossible," so we must treat it as if it's true," approach. It's called sophistry, and it's no substitute for facts. Saying that something is possible has no connection to it happening or not happening.
As for my qualifications for making my observations, I designed computers and computer systems for 40+ years, and learned programming on the LGP30, a desk size computer designed by Stan Frankel, who helped design ENIAC. I ended up as chief engineer of an industrial barcode reader company. I've also worked in quality assurance and product testing, so I'm not giving supposition and maybes.
If it makes sense for Apple to require a passcode when making a hard connection to the computer because the computer might be infected, that reasoning does NOT magically vanish when it also backs up to the iCloud.
And if facial recognition is safe enough to open your phone and grant access to everything on it, it's also safe enough to authorize backup—especially if allowing it would, at the same time, remove the need to manually type in those pesky numbers. One small change and two problems solved.
And, there is also absolutely no reason to back up a phone that has been used for nothing since the last backup. Time Machine doesn't. But disconnect the phone from the computer and reconnect it again, and the full process repeats.
The thing is, Apple programmers make mistakes, as we all do. It's the function of the QA department to catch those errors, via beta testing, and formal acceptance tests. But they didn't. They also apparently don't make use of a feedback resource like these forums. And that's a mistake.