First, LLM providers providing their services to European customers are bound to European privacy laws (GDPR) as well. If third-party providers violate the GDPR, it is not Apple's problem. Just like it's not the problem of Debian if you run Claude Code and Claude Code decides to upload your whole life (even though the OS provides the APIs to read the files).

Second, they could provide users with permission toggles of what users want to share and what not. Same as iOS/Android do now for contacts, location access, etc.