TL;DR
Every major AI assistant — Siri, Google Assistant, Alexa, ChatGPT — sends your queries to remote servers for processing. Your conversations, questions, and personal context travel across the internet to data centres you don't control. On-device inference changes this: your data stays on your device, processed by models running locally. Apple's Foundation Models framework (iOS 26+) makes this practical for the first time. This isn't a privacy checkbox — it's a fundamental architecture shift.
The Problem Nobody Talks About
Get Our Weekly Cybersecurity Digest
Every Thursday: the threats that matter, what they mean for your business, and exactly what to do. Trusted by SMB owners across Australia.
No spam. No tracking. Unsubscribe anytime. Privacy
When you ask your AI assistant "remind me about my doctor's appointment," that query doesn't stay on your phone. It travels to a server farm, gets processed alongside millions of other queries, and the response comes back. Along the way:
- Your query is logged for "quality improvement"
- It may be used to train future models
- It passes through multiple network hops, any of which could be compromised
- A data breach at the provider exposes your personal context
This isn't hypothetical. In 2025, OpenAI disclosed that ChatGPT conversation data was accessible to other users due to a Redis cache bug. Google's Project Nightingale collected health data from millions of patients through AI processing. Amazon admitted Alexa
Free Resource
Get the Free Cybersecurity Checklist
A practical, no-jargon security checklist for Australian businesses. Download free — no spam, unsubscribe anytime.
Send Me the Checklist →The industry's default architecture treats your privacy as an acceptable trade-off for convenience.
What On-Device Inference Actually Means
On-device inference means the AI model runs entirely on your hardware — your iPhone's Neural Engine, your Mac's M-series chip. No network call. No cloud server. No data leaving your device.
Apple's Foundation Models framework, introduced with iOS 26, provides:
- 4,096-token context window — enough for substantial conversations
- Structured output generation — the model returns typed Swift structs, not raw text
- Tool calling — the model can interact with device APIs (calendar, contacts, reminders)
- Guardrail detection — the framework tells you when it can't help, rather than hallucinating
The trade-off is capability. A 3-billion parameter on-device model can't match GPT-4's world knowledge. It excels at personal tasks (scheduling, reminders, document summarisation, tool use) but struggles with specialised domains (legal analysis, medical research, cutting-edge code generation).
The Expert Network: Privacy-Preserving Cloud Fallback
What happens when the on-device model hits its limits? The traditional answer is "send everything to the cloud." A privacy-first answer requires more nuance.
A distributed expert network solves this with three guarantees:
1. Explicit User Consent
Before any data leaves the device, the user sees exactly what will be sent and where. Not a buried Terms of Service clause — a clear, contextual popup: "This question requires an expert AI. Your query will be sent to an EU-based processing node. Do you consent?"
No consent, no transmission. The on-device model does its best with what it has.
2. PII Anonymisation Before Transit
Even with consent, queries are scrubbed of personally identifiable information before leaving the device. Email addresses, phone numbers, names, locations — stripped and replaced with placeholders. The expert node sees "Schedule a meeting with [PERSON] at [LOCATION]" not "Schedule a meeting with Dr. Smith at 42 Collins Street."
Microsoft's Presidio framework handles this at the pipeline level, with configurable detectors for different PII categories.
3. Geo-Fenced Routing
For users in the EU, queries are routed exclusively to EU-based processing nodes. This isn't a best-effort — it's a hard constraint. If no EU node is available, the query fails rather than routing to a non-compliant node. GDPR Article 28 compliance isn't optional.
The Architecture
User Query
│
▼
┌──────────────┐
│ On-Device │ ← Foundation Models (iOS 26+)
│ Inference │ ← No network required
└──────┬───────┘
│
▼
┌──────────────┐
│ Guardrail │ ← Did the model refuse or overflow?
│ Detection │
└──────┬───────┘
│ (if escalation needed)
▼
┌──────────────┐
│ Consent │ ← Explicit user approval
│ Gate │ ← Revocable at any time
└──────┬───────┘
│ (if consented)
▼
┌──────────────┐
│ PII │ ← Strip personal data
│ Pipeline │ ← Presidio-based detection
└──────┬───────┘
│
▼
┌──────────────┐
│ Geo-Fenced │ ← EU users → EU nodes only
│ Routing │ ← Zero retention at router
└──────┬───────┘
│
▼
┌──────────────┐
│ Expert │ ← Distributed, independently operated
│ Node │ ← DPA-signed, health-monitored
└──────────────┘Every layer is a checkpoint. Data only flows forward if all conditions are met. This is defence-in-depth applied to AI privacy.
ISO 27001 SMB Starter Pack — $97
Everything you need to start your ISO 27001 journey: gap assessment templates, policy frameworks, and implementation roadmap built for Australian SMBs.
Get the Starter Pack →Five-Tier Data Classification
Not all data is equal. A privacy-first system needs to know the difference between your app version (public) and your health records (never leaves device).
| Tier | Classification | Rules |
|---|---|---|
| C0 | Public | Unrestricted access |
| C1 | Internal | Requires TLS for transit |
| C2 | Confidential | Requires encryption + user consent |
| C3 | Restricted | Never leaves the device |
| C4 | Prohibited | Cannot be persisted to disk |
This classification is enforced at the type system level — not just policy documents. A C3 data object literally cannot be passed to a network function. The compiler catches violations before the code ships.
Why This Matters for Australian Businesses
The Privacy Act 1988 reform (expected 2026) introduces mandatory privacy impact assessments and strengthened consent requirements. The OAIC's enforcement actions — including the $2.5M FIIG Securities penalty — signal a shift toward active enforcement.
For businesses deploying AI assistants:
- On-device inference eliminates cloud data processing obligations for personal queries
- Geo-fenced routing satisfies cross-border data transfer requirements (both GDPR and incoming AU reforms)
- Explicit consent flows align with the strengthened Australian Privacy Principles
- Audit logging provides the evidence trail regulators expect
What's Next
We're building this architecture as Spaaaace — a privacy-first AI assistant for iOS. The routing infrastructure (SpaaaaceRide) is open-source under AGPL-3.0, enabling anyone to run expert nodes and contribute to the distributed network.
The goal isn't to compete with ChatGPT on raw capability. It's to prove that AI assistants can be genuinely useful without treating user privacy as a trade-off.
Privacy isn't a feature. It's an architecture decision.
FAQ
For personal assistant tasks (scheduling, reminders, summarisation, tool use) — yes. For specialised domains requiring world knowledge — not yet. That's what the expert network fallback solves.
The on-device model works without any network connection. You lose expert network access but keep full personal assistant functionality.
Yes. Expert nodes are independently operated, each signing a Data Processing Agreement. The routing coordinator runs on Cloudflare Workers at the edge — no centralised server processing queries.
Apple Intelligence also uses on-device processing, but routes complex queries through Apple's Private Cloud Compute. Spaaaace routes through a distributed expert network instead, giving users more control over where their data goes.
Yes, AGPL-3.0. The routing SDK, node operator kit, PII pipeline, and API gateway are all open source. The iOS app UI, billing, and analytics remain proprietary.
References
OpenAI Security Notice — ChatGPT Data Exposure Incident (March 2025). Technical disclosure of Redis cache bug that exposed user conversation data to other users, highlighting cloud AI privacy risks.
Office of the Australian Information Commissioner (OAIC) — Guide to Data Breach Notification. Australian NDB scheme requirements for assessing eligibility and notification timelines for data breaches.
Microsoft Presidio — PII Detection and Anonymization Framework. Open-source library for detecting and redacting personally identifiable information in text, with support for multiple PII categories and anonymization techniques.
Apple Developer Documentation — Foundation Models Framework (iOS 26+). Official documentation for on-device AI inference, including 4,096-token context, structured output, and tool calling capabilities.
European Data Protection Board (EDPB) — Guidelines on Data Protection Impact Assessment (DPIA). GDPR Article 35 requirements for assessing high-risk data processing, including systematic monitoring and large-scale processing of special categories of data.
Australian Government — Privacy Act 1988 (Cth) — Explanatory Memorandum. Details of the 2026 Privacy Act reforms, including strengthened consent requirements and mandatory privacy impact assessments.
Google AI Blog — Project Nightingale and Health Data Privacy. Google's disclosure and policy changes following the collection of health data through AI processing, highlighting cloud AI privacy challenges.
Amazon Alexa Privacy — Human Review of Voice Recordings (Transparency Update). Amazon's disclosure and opt-out controls after revelations that Alexa recordings were reviewed by contractors for quality improvement.
Cloudflare — Workers AI: Serverless Inference at the Edge. Infrastructure for running AI inference at the edge with low latency and geo-fencing capabilities for GDPR-compliant data routing.
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →