Another idea for Apple would simply be quarantining attachments from unknown contacts. E.g. display that an attachment exists but don't download it to the device until a user accepts a "attachment from unknown sender" warning box
AFAIK all iMessage attachments (since iOS 14) are quarantined via BlastDoor, any such full system takeover must include at least two escapes: one from BlastDoor, and another from the application sandbox. They also need to cope with ASLR. It's pretty heavy duty even in the most basic default configuration.
https://googleprojectzero.blogspot.com/2021/01/a-look-at-ime...
Upon re-reading this, it seems like crashes in BlastDoor are reported to Apple in real-time. I think this qualifies as "clientside scanning", tbh.