it uses combination of search results from other public services. if you self-host, your instance helps make these services single out the searcher (if not used by lots of unrelated people).
did not go through the code but if you use a public instance, it might be possible to do similar level of logging at instance-level what we accuse the search giants for. might be through some opt-out debugging feature or what have you.
at the end you place trust on a third party directly or not.
For that scenario you 1) download the code, 2) verify yourself what is inside and then 3) compile. (optional 4) Subsequent versions check on the delta of changes.
There is a cost to your time/effort in performing this type of action that is proportional to the criticality of your context and the level of trust you place on the providers.
To deploy it I think you mean on a vps. Now all your searches by Searx will be routed to other engines with the IP of your vps. So unless you deploy it with something like gluten to provide VPN access for searx. You will let those engines build profile about you. If you use the public instances so that more people are using it you don't know if they are running the unmodified source code.
Id you go with the route of VPN with sear then you probably use VPN with search engines like DDG directly. And don't save cookies on the browser.
You display enough technical pro-efficiency on the topic but then you try to compare as equivalent the usage of SearX or DDG, ignoring that only one of them has the source code available for review. If you are affiliated to DDG, please disclose openly.
If you honestly are _THAT_ worried about IP tracking on the server level, then you would run SearX inside your local machine with Tor or any VPN of your choice. Simple.
You can install/run from your own server, or just use a public version like this one here: https://metasearx.com/
Source code is available for verification. You can host yourself or choose from multiple domains to access.