This is different now. They scanned only suspected ones. Now they are expanding it to every user. To avoid same privacy issues as Google is doing (scan everything on cloud), they scan everything on device, and only leaking suspected information to upstream and preventing the upload to stop sharing.
IF we can trust that they really scan locally only those files which would end up into the cloud, then this is improvement. But trust is all we have, because the system is already full blackbox.
And if you have your iCloud sync toggle on, since your devices are intended to be uploaded, the client is doing the hashing.