That's why the CSAM scanner is on your device. It computes the hashes in place on then unencrypted images before uploading encrypted copies to iCloud.
That's why from some perspectives it is a net privacy win versus Google/Microsoft's similar tools that require them to have decryption backdoor keys on their clouds to process these CSAM requests and other FBI/TLA/et al warrants. Apple is saying they don't have backdoor keys at all on iCloud and if they are forced to do CSAM scanning it has to be on device, without leaving the device to have access to the unencrypted images. Only if you hit the reporting threshold (supposedly 30+ hash violations) would it also encrypt copies to a reporting database on iCloud (and again only if you were uploading those photos to iCloud in the first place).
That would also be true for any use of iCloud Photos, no? If you don't trust this, then you also can't trust them to be storing them encrypted on their servers.