[implying]

A new aspect of this is that because this is self-reported, and the end goal is to involve the criminal justice system, there is now (essentially) an API call that causes law enforcement to raid your home.

What would be the result of 'curl'ing back a few random hashes as positives from the database? Do I expect to be handcuffed and searched until it's sorted out? What if my app decides to do this to users? A malicious CSRF request even?

[srj]

A report to the cybertips line does not equal a police raid. Unfortunately the scale of the problem and the pace of growth is such that only the worst of the worst content is likely to be prosecuted.

[the_other]

If a phone calls the API "hello, I found some porn here" the phone (and/or it's owner) become a "person of interest" very quickly.

(I'll wager) The majority of these calls will be false positives. Now a load of resources get deployed to keep an eye on the device's owner, wasting staff time and compute, wasting (tax funded) government budget that could have gone towards proper investigation.

[TheFreim]

Yeah and sadly many of those who are consumers of illicit content get away with it because it's much more important to target the creators. The unfortunate reality of finite resources.