Two master secrets are randomly generated when pairing the AirTag for the first time, which are then saved to the iCloud keychain. Those secrets are then used to generate a new keypair every 15 minutes (at most), and the public key is broadcasted by the tag. Not only does Apple not know what the master secrets are in the first place (because they're stored in the keychain), but that's also an insane number of keys to compare against, with no real possibility to precompute them. And that's a big win in terms of privacy.
