Humorist6543 above all Advanced Data Protection
ADP is a major step forward, but please read Apple's own documentation on it, it is very easy to switch inadvertently to the less secure Standard Protection, for example when using Sharing:
Security implications of sharing and collaboration
"In most cases, when users share content to collaborate with each other—for example, with shared Notes, shared Reminders, shared folders in iCloud Drive, or iCloud Shared Photo Library—and all the users have Advanced Data Protection turned on, Apple servers are used only to establish sharing but don’t have access to the encryption keys for the shared data. The content remains end-to-end encrypted and accessible only on participants’ trusted devices. For each sharing operation, a title and representative thumbnail may be stored by Apple with standard data protection to show a preview to the receiving users.
Selecting the “anyone with a link” option when enabling collaboration will make the content available to Apple servers under standard data protection, as the servers need to be able to provide access to anyone who opens the URL.
iWork collaboration and the Shared Albums feature in Photos don’t support Advanced Data Protection. When users collaborate on an iWork document, or open an iWork document from a shared folder in iCloud Drive, the encryption keys for the document are securely uploaded to iWork servers in Apple data centers. This is because real-time collaboration in iWork requires server-side mediation to coordinate document changes between participants. Photos added to Shared Albums are stored with standard data protection, as the feature permits albums to be publicly shared on the web."
One small slip and there will be cloudside scanning of your Photos.