> The burden of proof should fall on Apple in an ideal world

It does, but its not an element of a crime being proven, so the burden isn't “beyond a reasonable doubt”, but (as for most things in a civil case, though sometimes other standards apply) “preponderance of the evidence", for which you need to convince the court that, based on the evidence provided, the facts you need are more likely than not to be true.

It does, but this is what the discovery process is for. If NSO wants to claim that they somehow got these accounts without agreeing to the EULA process themselves, Apple is going to request and the judge is going to approve a discovery request for NSO to turn over every record they have related to the accounts, when and how they were obtained, and who obtained them for NSO. If NSO wants to pretend that they have no such records, didn’t get the accounts themselves, and don’t know what third party obtained them, they’re going to get a very skeptical response from the judge, and they’re probably going to have to send a bunch of employees to go make statements that in addition to not having any records, none of them remember how this happened either. That’s probably the point at which Apple reveals that really they know via IP addresses or geolocation or something that all of the accounts were registered in an office building occupied by NSO, and then NSO gets sanctioned to hell and a bunch of employees are revealed to have lied in their testimony. That’s an absolute nightmare scenario for NSO.