Note, the devices DO NOT SEND UNENCRYPTED DATA, so parts of this do not ring true. It sounds more like phishing.
China did insist that Apple could NOT use their own servers but was required to use Chinese servers instead. Apple agreed, but insisted in maintaining the server level encryption with keys kept off shore. So, any data intercepts would be encrypted by the devices to 256 bits, using the users' ID passcodes entangled with hashes created by the device using the unique device UUIDs. It IS possible for a Man-in-the-Middle-Attack to spoof someone into entering their username and password. . . but Apple devices always required certificated connections to secure sites before that can be done. . . and those are pretty damn secure.
Apple China iCloud Security Ping!
If you want on or off the Mac Ping List, Freepmail me.