Without the Recovery Key, you need the device Passcode as the data in iCloud is encrypted by using Advanced Data Protection and either one of those is needed to decrypt the data. Apple does not save them so they do not know what they are and cannot decrypt the data themselves.
ADP is not turned on by default, so it would have to be done on your device and any other device that uses the same Apple Account. When you turn ADP on one device it applies to every device that is currently using the same Apple Account. The other device is called a Trusted Device as it currently is signed into your account, so if you do have access to another Trusted Device, then you can use that to turn off ADP. You will not be able to turn it off or access the data from a device that is using a different Apple Account.
Web access is disabled when ADP is turned on, so accessing iCloud on the website is not an option. That is another protection to limit access to your iCloud data. ADP is an optional measure to put you in total control of your account with the credentials to the account being only what you know, where not even Apple has the capability to access it. That is the ultimate level of cloud security, which makes it impossible for anyone else to view or steal your data. Even if law enforcement produced a subpoena or warrant for your data, Apple would be unable to provide it, where currently they must comply for any data they have access to.
I understand you don't remember turning it on, but that can only be done by someone that has access to a device that is using your Apple Account. Apple cannot turn it on because they don't know your device passcode to encrypt the data.
