Q: Who holds the AES encryption keys mentioned in the table under "Security and iCloud features"?

Hmmm....you certainly raise an interesting and valid question to which I don't know the answer to, but if I had to make a guess, I'd say that no one.  Could that be possible?  I know I've heard Cook mention that they "don't hold the keys" but is that the same thing he's referring to?  This would make a very interesting topic for discussion.

From what I have read, and heard from what Apple has testified to, they exist only on the device, and are not accessible by anyone. Not sure exactly how that works, but the only way to encrypt and decrypt is held by the phone itself.

What I hope to find is that the files are encrypted before transit.  If that's the case, then the SSL encryption for transit is removed when it arrives at iCloud, leaving an encrypted blob.  This would mean that only the user device has the key to decrypt the file.  However their wording suggests to me that it is not encrypted before transit.  Now, Cook and several Apple employees I've talked to have said "WE DON'T HAVE THE KEY AND CAN'T LOOK AT YOUR FILES".  So I don't which it is.

If files are encrypted before transit, and the only thing on the wire is a re-encrypted blob, then iCloud is fantastic and a "home run".  If it is not, then it's just another cloud service that we just have to trust, or not trust, but have no way of knowing if our stuff is secure.