Cloud-stored keys are public-private key pairs used by Confidencial individual accounts. The public key of the pair is stored in the Confidencial Public Key Registry. The private key is split into multiple parts, called “shards,” with each shard being stored in a different physical (and virtual) location. This is done to increase the security of the private keys - if any one private key shard storage location is compromised, it poses no security threat to content protected with those keys, as multiple shards of a private key are required to decrypt content.
What this means is that an attacker would have to compromise Confidencial’s backend infrastructure AND a third-party’s backend infrastructure AND they would have to compromise your chosen document store - whether that be the cloud, your organization’s internal network, or your computer - to gain access to your Confidencial-protected data.
Individual account users can also opt to store their private key themselves if they wish to not use a cloud-stored key. See Device-stored keys.