This is different now. They scanned only suspected ones. Now they are expanding it to every user. To avoid same privacy issues as Google is doing (scan everything on cloud), they scan everything on device, and only leaking suspected information to upstream and preventing the upload to stop sharing.
IF we can trust that they really scan locally only those files which would end up into the cloud, then this is improvement. But trust is all we have, because the system is already full blackbox.
Apple just now moved it to scan on the device.