PCC is supposed to work only on Apple silicon. You are supposed to trust that the input will be decrypted within the enclave which is next to inference engine on the same box. This way you know the input does not leave the server. If they offload to another server (eg google) then the privacy boundary is broken, once it leaves the enclave. Microsoft does it differently, where inference is confidential so more guarantees if that could be replicated.

Yeah I overestimated the PID stripping that was being done on-device before being handed off to a server. After other comments I realize there needs to be a lot of plumbing on the server-side too.