They also could embed the whole database into iOS and activate certain hashes only for certain iCloud accounts. No one would know because the database is encrypted multiple times.
They could do a lot of things. They’ve told us what they do. It’s not this. The FAQ released yesterday specifically says that users cannot be targeted.
> The same set of hashes is stored in the operating system of every iPhone and iPad user, so targeted attacks against only specific individuals are not possible under our design.
The problem with this sentence is that Apple assumes that they can't target specific individuals because every iPhone and iPad user has the exact same database in their iOS device.
But what if they have a hash in the database where they know that only one person has this exact image on their device? This way you could single out one individual with the same database.