Not correct. When enough images to trigger a match are detected apple employees verify the visual derivative to make sure it matches before an alert is generated. They would need to collude.
You’re right, I was thinking about a breach of privacy in general instead of actual legal consequences. (Though the possibility of governments backdooring Apple’s servers to access decrypted files stands, that shouldn’t make a difference with this iCloud-Photos-only spyware)