(no title)

Apple takes a photo, runs it through some on-device transformations to create an encrypted safety voucher, then it gets "interpreted" once it's uploaded to the cloud and Apple attempts to decrypt it using their secret key.

Google uploads a raw photo, which itself is essentially a meaningless value in the context of identifying CSAM, and Google "interprets" it on the server by hashing it and comparing it against some database.

In both cases, the values that are uploaded by the respective companies' devices don't mean anything, in the context of CSAM identification, until they are interpreted on the server.