You don’t need to enable the backup, if you don’t trust them. If you don’t enable them the accounts will be stored on your phone same as Google Authenticator or Microsoft.
If you enable backups those are encrypted before uploading to the cloud. Backups are always encrypted/decrypted on your phone. At no time Authy knows about your encryption password and doesn’t hold a copy of it. That means even in the event that the Authy cloud gets compromised they can’t do anything with the data as it stored in an encrypted format.
Authy is salting password and using PBKDF2 to hash passwords to make brute force less effective, in addition to the SHA256 hash algorithm.
If you are keen on looking at the technical aspects take a look at their How the Authy key backups work website.