A few weeks ago Apple opened up "Enhanced Security". This lets you end to end encrypt *most* but not all of your iCloud data. I think the safest way to use iCloud is to not use it at all, but if you're going to use it, enhanced security is the way to go. Unfortunately this means generating a backup key, and having to take custody of it yourself. What that means is if you lose your key, you lose your data.
The big problem with icloud is if you back up to icloud your icloud back ups are not end to end encrypted w/o enhanced security turned on. In that case anyone who gains access to your icloud data, including Apple can access everything on your phone including your imessages, all of your location data, and sensitive photos you may have stored on your device.
In 16.3 you can now enable a security key as your 2nd Factor for logging in. I discussed this in a previous post, but a security key is a physical key for your digital life. Rather than approving adding a new device by receiving a code on a device you've already approved, you'll have to tap a physical key against your device. This means to access icloud, or your apple account, an attacker will need more than your phone, they'll also need the key, which will be stored away from your phone.
To set it up you'll need two FIDO equipped keys, one is a primary, the other is a backup. I use Yubico 5 series NFC enabled keys. If you want more info on how to set it up, I'd recommend using DuckDuckGo to search foe a tutorial.