They keystring is stored in the config file on the boot-pool. The boot-pool is never encrypted.
Simply having access to the boot drive is all that’s needed for someone to retrieve the keystring. (The files freenas-v1.db + pwenc_secret allows someone to extract the keys for all your encrypted datasets.)
Here’s an example of retrieving the keys with the two files, which are stored on the unencrypted boot drive.