This sounds exactly like that CSAM "feature" they wanted to add but created a huge outrage because of how incredibly invasive it was.
It sounds like it only needs a few extra lines of code to get exactly what they wanted before, they just packaged it differently and we all fell for it like frogs getting boiled in water.
The CSAM filtering was a best of class implementation. I'm pretty sure I'm one of maybe a dozen people who actually read the spec before throwing a hissy-fit about "muh privacy!"
The only actual "flaw" was that maybe a state-level actor could make it scan for bad stuff on your device.
BUT they can do it to your cloud data _today_. And if you disabled cloud uploads, the local scanning was disabled too.
It sounds like it only needs a few extra lines of code to get exactly what they wanted before, they just packaged it differently and we all fell for it like frogs getting boiled in water.