PCC is supposed to work only on Apple silicon. You are supposed to trust that the input will be decrypted within the enclave which is next to inference engine on the same box. This way you know the input does not leave the server. If they offload to another server (eg google) then the privacy boundary is broken, once it leaves the enclave. Microsoft does it differently, where inference is confidential so more guarantees if that could be replicated.
Google has a similar thing they announced a year or two ago that uses the various hardware security stuff in the PC world that Apple is working with them to add to the list of approved stuff that gives PCC level security.