That’s the major concern I have: take as a given that NCMEC is on the side of the angels here, what happens when some government demands that Apple help identify anyone who has an image shared from a protest, leak, an underground political movement, etc.? The database is private by necessity, so there’s no way to audit for updates.

Now, currently this is only applied to iCloud photos which can already be scanned server side, making this seem like a likely step towards end to end encryption of iCloud photos but not a major change from a privacy perspective. What seems like more of a change would be if it extended to non-cloud photos or the iMessage nude detection scanner since those aren’t currently monitored, and in the latter case false positives become a major consideration if it tries to handle new content of this class as well.