Apple says Siri running on Google Cloud is still secure, but do you have any way to check?

There was a moment at WWDC 2026 that I kept thinking about. Craig Federighi, Apple's Vice President of Software, stood on stage explaining the new partnership with Google. "We don't use the models that Google deploys for their commercial customers," he said. This sentence was said in a confident tone, as if it was enough to end all concerns. But right underneath that sentence is a truth no one denies: Siri, Apple's assistant, now runs on NVIDIA chips in Google Cloud's infrastructure. Those two things coexist. And the interesting question is not “Is Apple lying?” but "Does it still matter?"
Ten years of Apple building a brand from the word 'privacy'
To understand why WWDC 2026 is a remarkable moment, it's worth looking back at what Apple has done with the word "security" over the past decade.

Privacy is something that Apple has persistently pursued for more than 10 years In the following years, Apple maintained that stance through each product decision. Full device encryption by default. Safari browser blocks ad tracking. App Tracking Transparency forces apps to ask permission before tracking users. "Nutrition Labels" on the App Store indicate what data an app collects. And advertising campaigns repeat the same thing over and over again: what happens on the iPhone stays on the iPhone. It's not a coincidence. This is the strategy that differentiates Apple from Google, a company that makes money from advertising and data. If Apple and Google both make phones, both make AI assistants, and both make cloud services, the only difference Apple can exploit is: "We don't make money from your data." Now, Siri is running on Google's servers.
AFM 3 and what Apple didn't say directly at the launch
The third generation of Apple Foundation Models, called AFM 3, includes five models. Two small models run directly on the device: AFM 3 Core (3 billion parameters) and AFM 3 Core Advanced (20 billion parameters). The remaining three models run in the cloud. Of the three cloud models, the most powerful is the AFM 3 Cloud Pro. This is the model used for the most complex tasks: multi-step reasoning, questions that require broad context, and requests that the device cannot handle. And AFM 3 Cloud Pro runs on NVIDIA Blackwell chips, housed in Google Cloud infrastructure.
![[IMG]](https://photo2.tinhte.vn/data/attachment-files/2026/06/9050813_apple-foundation-models-2026.jpg)
What is Private Cloud Compute and why Apple thinks it solves the problem
Apple does not deny the above. Instead, they make another argument: the system's architecture ensures that even if the server is in Google Cloud, your data is still safe. That system is called Private Cloud Computing (PCC). The operating principle has three layers.

The first layer is a stateless system: when your device sends a request to PCC, the server processes that request and completely deletes the data when finished. There are no logs, no history, no mechanism to write data to the hard drive on the processing nodes.
Questions that this architecture cannot answer
I read Apple's technical documents about PCC and found one thing Apple explained very well: the system ensures the server is running the correct Apple-approved software. That's a testable claim, at least in theory. But there's another question this architecture doesn't answer: Who checks that the software does what Apple says it does?

Do users have any other choice but to believe what Apple says, because can we verify what Apple actually does? When Apple says "PCC software does not store data," they are talking about software that Apple writes, Apple approves, and Apple publishes. Security researchers can examine that binary. But testing a binary hundreds of megabytes to confirm "no lines of code store data" is a job that requires a lot of resources, time, and expertise. In reality, most users have to trust the conclusions of a group of security researchers they have never met. It's a multi-layered trust structure: you trust Apple because a research group says the system looks as Apple describes it. That's not unreasonable: this is how most software security works. But it's different from "you can check it yourself."
Is Apple still different?
The answer I think is: yes, but in a more subtle way than before. Previously, Apple was different because your data never left the device to go to a third-party server. Now, with AFM 3 Cloud Pro, your data goes to Google Cloud, but in an environment where Apple controls the software, the hardware has the authentication mechanism, and there's no data storage mechanism designed into it. That difference still has real value. When you use Google Assistant with Google Cloud, your data goes into a system that Google designs, that Google controls, and that Google can use to improve the model. When you use Siri with PCC on Google Cloud, theoretically no one in the system, not even Apple or Google, can read your request. But that requires you to believe in a much more complicated system than "iPhone doesn't send data." And in a market where Apple once won with the simplicity of its message, the new story is much more complicated to tell. I have no specific reason to think Apple is lying. But I also realized that I had no way to really check. And the difference between "no reason not to believe" and "verifiable" is a question worth thinking about as AI learns more and more about our lives.