Some of this info is potentially helpful, but some of your response is inaccurate at best. I'll do my best to scaffold you towards understanding as I'm sure it's not your intention to spread misinformation.
Device list on Apple account- Yes, that's been done. I remote deleted and deauthorized all devices except my iPhone 11 (12,1) on November 6, 2024. As I said in my original post, these are phantom devices (worth Googling). They do not show up on Find My or on my account list, hence the term phantom device. It's a well-documented and complex issue across the whole field of technology (telecommunications, IoT, anything connected to a network.) You might find the subject interesting since you seem like a passionate hobbyist.
Safety check- yes, I know about this feature. I perform them about once a week, and is often how I have confirmed that the breach is ongoing. While it can be a useful tool, it is limited in its functionality. It is by no means comprehensive or a silver bullet.
Transfer apps and media- now this is helpful, thank you. I assumed Senior Support was correct when they told me it wasn't possible, this is a great workaround. Really appreciate this.
No, old devices do not reauthorize each other and the IP Address is not what is Trusted.
So this is where our understanding diverges. Do you have any sources to support what you're saying? Here are three of my sources: Patrick Wardle's Methods of Malware Persistence on macOS, Sarah Edward's Ubiquity Forensics (DEF CON 23), and Patrick Wardle & Christopher Lopez' Did Apple Solve Persistence.
An attempt to sign into your account on another device that is not using the password will still require the Verification Code that is sent to the Trusted Device that IS currently logged into your account.
That is true, with newer iOS versions, but was not always true. These were old devices that hadn't been used for quite a while and likely didn't have space for an OS update. I'm not trying to be harsh by correcting you point by point, but the safety of domestic violence survivors is my priority, and your blanket statements could easily misinform someone else in my situation. Please try to consider the impact of making absolute statements without having enough information to make such a determination.
The alternative is to send the verification code to a Trusted Phone number that has already been set up on your account. That is why previously I recommended to verify the numbers stored there.
Are you familiar with SS7 security? It was developed in the 70's and has many well documented vulnerabilities. SMS should not in any way be used for 2FA. I personally rely on a physical security key and avoid companies that force SMS 2FA at all costs.
I have no idea what part of the Privacy Report you are concerned with or if you are talking about the Privacy Report in Settings or the data you can request on your account.
I did not say anything about Privacy Reports in my post. I was referring to the data I downloaded from privacy.apple.com. I've attached a screenshot of one of the csv files from that privacy data which show evidence of phantom devices receiving push notifications below, with the device IDs redacted for my privacy and security.
If you cannot see the screenshot, you can also view it here. I own an iPhone 11 (12,1) and all others are unauthorized.
