This is a red herring. It wouldn't need to happen on device then, because iCloud Photos are not end to end encrypted and Apple can scan them on the server side today and achieve the same result.
The only reason to scan clientside for a cloud service is to scan files that are not uploaded, or are end to end encrypted.
Apple already maintains an e2e backdoor (in the form of non e2e iCloud Backup) for the FBI and US intelligence agencies. It is extremely unlikely that they will e2e encrypt iCloud Photos.
I said unlikely: they maintain an e2e backdoor in iCloud Backup. Technically, e2e encrypting iCloud Photos at this point would be a no-op as Apple is already escrowing the device e2e keys in the backup (eg for iMessage).
I doubt they'd bother doing e2e for iCloud Photos if they're intentionally not doing it for iCloud Backup.
> Apple is already escrowing the device e2e keys in the backup
Citation? I don't believe this is correct, or at least it's an incomplete assertion.
Assuming they do get with the iCloud backup, these keys would be inside the device's Keychain file which is encrypted at rest by the Secure Enclave. Thus even with access to a full, unencrypted backup of your iPhone, the keychain itself cannot be decrypted by Apple
(It can't be decrypted by you either, if it's restored to different hardware. This is why iCloud Keychain exists. And that is end-to-end encrypted.)
The only reason to scan clientside for a cloud service is to scan files that are not uploaded, or are end to end encrypted.
Apple already maintains an e2e backdoor (in the form of non e2e iCloud Backup) for the FBI and US intelligence agencies. It is extremely unlikely that they will e2e encrypt iCloud Photos.