Hi,
In addition to the QNAP crypto backdoor link you posted, you should read this as well:
And while I can’t provide a 100% true answer to your questions about if and how QNAP or others store the credentials to your Storage, I think that’s the point. You have to trust someone to do it right.
For me personally I just couldn’t. I liked the possibilities that cloud services promised and indeed provided, but while I never trusted Cloud providers to keep my data 100% private, I never used them.
For me the solutions of QNAP or WD are pretty much the same with the only difference that the storage is standing in front me. The access is still managed by the provider. And furthermore you never know if there are backdoors in your NAS like the ones already mentioned.
QNAP describes the authentication against the device on their website as follows:
Authentication
Your account and device information can only be accessed after your myQNAPcloud user account (QID) is authenticated. In addition, before a user can access files on the device or manage the device via CloudLink, that user is required to enter correct credentials for the device, even if that user has signed in his or her myQNAPcloud account. This enforces two-step authentication for stronger security.
I think this is a much better solution than granting everybody access to the NAS who can authenticate against the website of QNAP. But still QNAP is a man in the middle (I think about man in the middle attacks there). Especially when law needs to be enforced I see the danger that an authority can make QNAP or the other providers to collect your credentials by a man-in-the-middle-attack. Encrypted drives don’t help there.
Additionally QNAP uses weak ciphers for HTTPS:
TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp256r1 (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp256r1 (eq. 3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp256r1 (eq. 3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS 256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK 128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) WEAK 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK 256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK 256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256TLS 1.1 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS 256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256TLS 1.0 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS 256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256
That’s something I can push to more security on my own server.
So I first started to use a cloud server, when I was able to setup one on my own. And sure I have a NAS. It’s mounted in Nextcloud and isn’t directly reachable from the Internet.
In my opinion Nextcloud made it easier when ever before to setup ones own cloud server and the efforts they put into making it a totally secure and private solution for the user is impressing me. They know that no server is in-crackable and they provide and advert a solution for that as well, which they develop and push forward to be easy usable for everybody: end-to-end encryption. Correct me if I’m wrong, but I believe that’s not offered by QNAP, Synology, …
To make it short: I think, if data security is very important to you, you better don’t host a cloud server by any provider and you don’t use the cloud services by the NAS providers. It’s said: If you want it done right, you better do it yourself 
Just my opinion, but I hope it’s helpful.
@jospoortvliet Something you would like to add here? 