They aren't, the key is burned into the chip. You could decap it and try and get at it that way, but that also runs the risk of destroying it and losing all hope of data recovery.
No, all iOS devices have hardware keys. Newer devices have the Secure Enclave which is a separate chip that stores hardware ID and does the actual encrypting/decrypting.
Sure, but if all of the state is on the NAND flash, you can nearly trivially bypass all the retry restrictions with a hardware-level snapshot. There's nothing on the SOC that's persistent. Boom, done, and the FBI is exposed as a pack of idjits. (Of course, this is not about the single phone, and never has been. But let's continue that fiction for the sake of argument).
