It’s very easy!
First the relay will only be used if the syncing machines cannot directly see each other. If all sync partners are in the same network no data will leave this net.
Now let’s say you have two computers at home, both positioned in a private network behind a router for internet access, both hampered by the ISP’s NAT that make the computers inaccessible from outside. To use sycthing you’d have to drill a hole in both router’s firewalls (AKA open a port), you’d have to tackle DNS name resolution (by installing some dynDNS software) so that both machines can not only “see” each other on the internet but are also able to locate the sync partners, and maybe take some more (e. g. IPV6 related) measures to get things up and running.
I bet there are a lot of people out there that will hilariously fail to setup such an arrangement, it is somewhat complicated, it includes several devices to configure, it is a bit fragile, people are keen to get quick results, get frustrated when facing problems they don’t quite understand, etc.
So the relay is a solution for that. It is publicly visible on the internet and both syncthing partners can contact it if they have simple plain internet access. There’s no need to do local configuration changes on your computers, router, etc. So client 1 sents a data packet to the relay and client 2 picks it up from there - or vice versa. That way, despite they cannot directly see each other, they’re able to communicate.
This is what the relay server does but it does not break security. Client 1 encrypts all packets it sents before they drop out of the machine’s ethernet connector. And only client 2 (or whatever other machines you allowed to take part in the sync process) has the cryptographic key to decipher any incoming sync packet. This is what you call “end to end encryption”. All the relay server can see is encrypted gibberish. If there’s no security relevant bug in the encryption algorithm and implementation then nobody, not even the NSA, should be able to decipher the content (and there are way easier methods to get hold of the content if some secret service really want’s that data).
So the relay knows almost nothing about the data that is being transmitted. It only knows the IP adresses of the partners communicating, it knows when partners are syncing data and it could calculate the amount of data sent. And this is not a cloud solution because the relay does not store any data, contrary to what you might assume.
Also consider the alternative scenario, drill a hole in the firewall, use dynDNS, etc. This doesn’t mean that there are no others on the way of a packet from A to B that could (and probably will) eavesdrop on your data, your packets might travel half around the globe, passing routers of several ISP’s and network providers. Thus also in this scenario end to end encryption is a must to protect your data. So you will end up with packets behaving very much the same with or without the relay server.
And finally, if you still distrust the relay server you could switch off its usage easily in syncthing’s configuration. However you will then loose the ability to sync over the internet. If you widen your scope beyond syncing two stationary PC’s to e. g. syncing your Android smart phone then you are again in the midst of the road warrior scenario and you don’t really want to disable the relay.