I think that's a pretty bad summary of the concerns that were raised. Sure they are scanning your files on icloud, but there is a 100% reliable way to prevent that: just don't upload them.
In their proposal they would scan your files on device, which is fundamentally different. Initially they would not run the scanning when icloud upload was disabled but how long would that last for?
No. The proposal was to generate the perceptual hash on device at the time of uploading to iCloud. It would not be doing any scanning on-device. The comparison to the CSAM database would still happen on Apple's servers.
The device would download an encrypted database. It would compute a hash on the device. It would compute a value (“voucher”) from this hash and the database and upload that value to iCloud, which could decrypt it iff there were a sufficient number of matches. The voucher is independent of the plaintext file uploaded to iCloud: hence you could upload only the voucher and not the file and the system would still alert.
Phrases like “it would not be doing any scanning on-device” don’t have any precise meaning. Scanning is a series of operations including hashing and cryptographic calculations plus a voucher upload and decryption. All of the former operations are happening on the device, only the latter happens on the server. So in fact a significant fraction of the scanning is indeed happening on your device. And this two-computer design isn’t being used to preserve your privacy: it’s designed this way solely to prevent you (the device owner) from knowing whether your files match the database. Without that requirement, the system would be much simpler: it would download a hash database and simply send a notification to iCloud whenever (a sufficient number of) local files hash to values matching the database.
In their proposal they would scan your files on device, which is fundamentally different. Initially they would not run the scanning when icloud upload was disabled but how long would that last for?