Stumbled across this today:
Checked my phone and iCloud keychain had been turned on – and definitely not by me!
Agree completely with Jeff Johnson that:
“On principle, I should not have to upload my data to Apple if I don’t want. Apple advertises itself as the “privacy” company, but uploading user data to Apple’s servers without notice or consent is a gross violation of privacy.”
You may want to check your settings.
I found this:
How iCloud Keychain protects your information
iCloud protects your information with end-to-end encryption, which provides the highest level of data security. Your data is protected with a key that’s made from information unique to your device, and combined with your device passcode, which only you know. No one else can access or read this data, either in transit or storage.
I turned it on long ago to help wifey with accessing passwords. Am I missing something and compromising our privacy by using it? Lee
iCloud Keychain is not, by itself, a security problem. It does mean, however, that anybody with your iCloud login credentials (including 2FA, if enabled) can access your keychain items.
If you keep your iCloud login reasonably secure, there’s nothing terribly insecure about keeping your keychain there. I do this and it is very convenient because (for example), my Safari passwords sync between my Macs, my iPhone and my iPod.
(Most recently, I was staying at a hotel. I logged on to the Wi-Fi using my Mac first. It synced the hotel’s Wi-Fi password to my iCloud keychain, so when I connected my iPhone, it didn’t ask for a password, because it had it from when I typed it in to the Mac.)
But if you share your iCloud credentials with untrusted third parties (very bad practice) or are otherwise concerned about its security, then you probably don’t want to keep your keychain there.
David, thank you! I now completely follow what you said and what was being said. FYI, I do not share my iCloud credentials with my wifey. She sometimes falls for gullible events. 
I don’t think this is right. I believe that you also need the passcode of at least one device that is also already authenticated to your Apple ID. This is because your iCloud Keychain is end-to-end encrypted and the encryption key is protected with a key that is entangled with your device passcode (iOS or iPadOS passcode, or macOS account password) and Apple does not have access to iCloud Keychain keys. In other words, I think it’s even more secure than you’re suggesting.
iCloud Keychain was on, and I believe I had not turned it on.
Thank you for the discussion on security and the example of how iCloud Keychain is useful. I had wondered why I didn’t need to authenticate my iPhone at a hotel.
You are correct. If you’re not connecting your first device, then you need to authenticate new devices from a pre-existing device.
So if you keep control of your existing devices, it should be hard for an unauthorized third party to get access.