In the case of iOS, it would require access to the phone or iCloud account. Health data is encrypted on device and in cloud storage [1] - see the "Health & Fitness" section.

[1] https://www.apple.com/uk/privacy/approach-to-privacy/

Yes they cannot get anything from a modern iOS device. But they can still (for now) use a warrant to get anything from iCloud. Apple is working on making even that impossible.

It depends on whether it's end-to-end encrypted or not. Unfortunately only some iCloud data is, not all of it (nor is there an option for all of it), but they have been slowly expanding the magic circle there. Health data is a recent addition actually, according to Apple's iCloud security page (HT202303) it is E2E as of iOS 12. Before that it presumably would have been available via warrant, but if someone has all their current devices updated it shouldn't be. Looks like the current full list is:

  Home data
  Health data (iOS 12+) 
  iCloud Keychain
  Messages in iCloud
  Payment information
  Quicktype Keyboard learned vocabulary (iOS 11+)
  Screen Time
  Siri information
  Wi-Fi network information

One odd and notable exclusion though is iCloud Backups. If you use that feature, at least from what I can tell it can actually compromises the E2E of some of the others since keys are stored as part of the backups. I guess Apple considers backups to be more important to the general population to have fallbacks for, but it's also a big privacy hole and I still consider it a bummer that they don't at least have an option to not store keys with Apple there and just have it be an encrypted blob (with UI for printing out recovery keys and such of course, but they've long had that for FileVault already).

Also worth noting that Apple's overall scheme for multi-factor and general Apple ID auth and management remains an irritating worrying clusterfuck, but at least there have been some ongoing improvements I guess.

At this point, I'm willing to accept that Apple has an honest intent (to the extent that any corporate entity has any meaningful intent to do anything) to provide reasonable security on its new devices and related cloud systems. This is at least in part because they are reasonably transparent about how far their existing measures go and they don't seem to have a track record of exaggerating claims in this area.

Clearly they could still go significantly further, as the lack of end-to-end encryption for things like iCloud backups of photos demonstrates.

Another black mark against them for now is their persistence in walling off their ecosystem so much that iCloud (or maybe iTunes running on additional Apple equipment) is the only reasonably usable and future-proof method of transferring data between devices. It really should be possible to import and export common types of data like calendars, photos, contacts and notes in standard formats using standard protocols, and it's clearly a deliberate policy not to support this.

Even so, the world of iOS now appears to be in an entirely different class to the Android ecosystem in terms of privacy and data protection. At least with Apple devices, you can (if you're willing to spend an hour or so toggling settings) basically turn off all of the data sharing and remote services if you just want a modern phone with standard communications tools like web and email available. And at least Apple doesn't have an obvious commercial interest in undermining its own devices' privacy safeguards.

The option for avoiding iCloud backup is iTunes encrypted backup. iCloud backup is very convenient but also not dangerous.