According to GDPR, the app developer is the "data controller" and thus ultimately responsible. Only in the case where Apple knowingly participated in unlawful behavior is it likely to be held accountable, and even then, in addition to the app developer. Obviously, if we are not talking about leaks from the actual App Store system (eg. Apple account logins and user data).
So while it sounds plausible, the legal framework is exactly not what you describe here — Apple can claim to want better protection for customers by not allowing third party apps, but EU rejects that (it can similarly extend to app store itself) and pushes for competitive landscape with DMA instead.
Couldn’t someone argue that they “knowingly participated“? Do you think they want that risk?
Nothing holds them from having designed this as an API that others can use where the user has permission toggles of what data they want to share with the LLM provider.
This would be unprecedented access to user data, enabling the most complete user profiling ever.
Ad companies, like Meta and Google, are going to spend huge amounts of money getting agents ready, because there will be a ridiculous amount of money behind all the data they're going slurp up, and the profiles they'll build for you.
Unless, Apple can figure out how to keep the leaches, that have consistently proven to be so, with court cases for receipts, at bay.