They can't scan them in the cloud because, unlike other cloud storage services, the data is encrypted before leaving the device and they don't have access to what they are storing. They still don't want to host bad stuff though so they tried to come up with a way to still scan somewhere while not making the encryption in the cloud useless for everyone.

Possibly your understanding of the motive is correct. But your understanding of iCloud security is not. Apple did not offer end to end encryption of photos until after. And it is not the default now.

> Why ahould the phone scan local photos?

To avoid doing it in the cloud? Then you can turn on end-to-end encryption on uploaded photos.

> private photos leaking to companies employees

Where N of them have matched known CSAM hashes at the point of being uploaded to iCloud, they will be presented for human verification, yes. How is this worse than the photos being scanned in iCloud and being flagged for similar verification?

You can turn on end to end encryption without scanning. Apple did. And Apple's modified key escrow ruled out end to end encryption. End to end means end to end. Not end to back door.

Known CSAM hashes is incorrect. The sources of the hashes are known to contain false positives. And true positives are not limited to depictions of sexual abuse.

Because icloud is a cloud service, this is my phone scanning my photos.