So the device knows the passcode therefore... and then you make it easy to search if they need too by including wildcards and certain chars they require...
Actually, no, unlike the system used on bolt-on encryption, like Androids, it doesnt. Every time the passcode is entered, an algorithm is applied to it which compares the resulting coded key to a one-way hash. The passcode cannot be calculated from knowing the hash. If the algorithms result matches the hash stored in a location buried in the Secure Enclave, which is unreadable by the systems processor, then that result will be passed on to another stored algorithm in the dedicated encryption engine processor be entangled with three other Secure Enclave stored pieces of data to create the actual encryption key to unlock the data.
So, no, none of the keys are ever stored on the device. They are generated as needed.. . . and kept in a locked special processor the system processor cannot read. Nor can that area be read from the outside. Its buried deep in a six layer IC. Ergo, no search can ever find it. Locations are also randomized. Nice try.
Samsungs vaunted Knox was found to keep its encryption keys in an unencrypted cleartext library where anyone could find them. This was discovered three weeks after they got certified for use by the US Military. ROTFLMAO!
The hash code is stored in the cloud I believe - the device knows nothing