Find the section titled "Secure Enclave." When the SE needs to store data on the filesystem, it's encrypted with a key that never leaves the SE. Effectively, assuming the encryption is implemented correctly, data 'owned' by the SE is never available to any other part of the system.
