Apple doing the scan on device is a big deal for several reasons.
First, ask why they don't they just do this in the cloud? They are cheap. They want to leverage the local neural engine in the iOS device to do this workload. At scale it's a huge computational load and they want their users to pay for it.
Further, consider how much goodwill they just nuked for distributed use of those A-series chips for something positive like protein-folding analysis to help with COVID. No, instead Apple chose to treat their entire userbase like suspected pedophiles. That burns a lot of charity.
The fact that the scan is done on the user's phone, without their consent, and *prior* to uploading makes this a warrantless search that Apple is conducting as a fishing expedition on behalf of law enforcement.
Law enforcement cannot do this without a warrant which requires probable cause.
NCMEC is a private foundation, but is funded by the US Justice Department. Anything Apple refers to them will be reported to FBI or other agencies. It's also run by longtime infomercial hawker John Walsh, father of Adam Walsh.
People thinking that Apple will not make a mistake really overestimate the level of care Apple will use. Likely, their employees will never actually see the CSAM photo. They will simply look at the match count and forward to NCMEC for review.
Comparisons to cloud-hosted data being scanned are simply not the same as what Apple is doing here and the way they dropped this has been unbelievably badly handled.
This will keep building as a PR disaster and we will see if Stella Low can handle it. She's from the UK and maybe she just doesn't understand the Fourth Amendment landmine Apple just stepped on. She likely was on a team that signed off on this whole thing in advance. Jobs' longtime PR chief Katie Cotton (left in 2014) would have seen this coming.
Then there is the mission creep of adding new hashtables of wrongthink to check for, "for the children" or to protect you against terrorists. The precedent that Apple can use our personal resources to incriminate us without cause is intolerable and is destructive to the brand.