Based on security issues that exist without two factor, the only way I can ethically support iCloud with PII is if
1) Two factor is enabled at sign up / authentication
2) My data is inacessible if Two Factor is disabled.
3) Optionally - I get notified if Two Factor is disabled and I revoke access
Is this possible?
Ethicas aside, Apple does not require two factor authorization to allow an app to access its content on iCloud. But your app is the only pipeline into data it stored on iCloud. Within your app you can limit access to those users who satisfy your app's special requirements. If you wish, you can add two factor authentication within your app. You will have to implement that two factor authorization.
Apple decides what security is required for iCloud and how it is implemented.
If you are not comfortable with their decisions, I would suggest using an alternative.
