Apple can push firmware updates to the HSM just like the device. So if they really wanted they could add an operation that extracted the keys (likely by encrypting them to a key that lives in Apple's cloud).