In short, only you with your password can see your data. Others, even Mozilla’s servers, without your password, can not see your decrypted data.
In technical terms, the FxA server holds a “wrapped copy” of kB, which
requires your password to unwrap. Nobody knows your password but you
and your browser, not even Mozilla’s servers. Not even for a moment
during login. The same is true for kB.
To access any data encrypted under kB, you must remember your
password. This means that anyone who doesn’t know the password can’t
see your data.
If you forget the password, you’ll have to reset the account and
create a new kB, which will erase both the old kB and the data it was
protecting. This is a necessary consequence of properly protecting kB
with the password: if there were any other way for you to recover the
data without the password, then a bad guy could do the same thing.
You can get a detailed technical explanation of the mechanism used by Firefox Sync at: https://github.com/mozilla/fxa-auth-server/wiki/onepw-protocol