Re: neatly summarised in one image
"Where is it stated that the BitLocker recovery key is stored online ?"
For non domain joined PCs using a Microsoft account, the BitLocker recovery key is stored online in OneDrive, which for most users is likely a good thing as encryption is now enabled by default.
"if somehow those keys were hacked and extracted - seems to be a high security risk."
Well they would also need physical access to your device to use them. And as a non Domain joined user then probably you wouldn't have required a PIN or enabled 2 factor authentication - so if they have your Microsoft account, they could login to your device anyway...
However if you have something that you really want to protect from the NSA, law enforcement, foreign governments, etc, then the keys can easily be viewed and deleted here:
"Does everyone get an online account automatically with Windows 10 ?."
Nope - you can choose to use a local account or a domain account only if you want to.