Yeah, we have changed that in the new iOS app. Well, it’s not that new anymore, but since you’ve revived an old thread… 
We are now using kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly:
After the first unlock, the data remains accessible until the next restart. This is recommended for items that need to be accessed by background applications. Items with this attribute do not migrate to a new device. Thus, after restoring from a backup of a different device, these items will not be present.
But still, in the old app, it was also not stored in the iCloud keychain. Back then, encrypted backups were only possible via macOS if I recall correctly. I think it’s fairly new that iCloud backups are encrypted when they introduced Advanced Data Protection (I believe last year?). That’s why we didn’t think that it broke Cryptomator’s security target.