Craig Federighi took the stage at WWDC to address what many in the security community have been whispering about since Apple announced its Google partnership for Apple Intelligence—the elephant in the room: how does Cupertino keep its vaunted privacy promises when your queries are hitting servers Google owns? The answer, according to Federighi, lies in a new iteration of Private Cloud Compute (PCC) specifically engineered for third-party hardware environments.

Breaking Down the On-Device vs. Cloud Split

For basic queries, Apple Intelligence still relies on an on-device model called AFM 3 Core—a Gemini-based model co-developed by Google and Apple. Most current-gen devices run this version. But newer hardware with at least 12GB of RAM (M3 or newer for Macs, M4 or newer for iPads, just the A19 Pro for iPhones) gets access to AFM 3 Core Advanced instead, which taps into extra memory and storage for improved dictation and Siri's more expressive voice capabilities. When queries get too complex for on-device processing, Apple routes requests through one of three cloud models: AFM 3 Cloud (general use), ADM 3 Cloud (image generation), or the heavyweight AFM 3 Cloud Pro designed for agentic tool use and complex reasoning. Here's where it gets interesting—Federighi was explicit that "the amount of the Google system we use is none." The first two cloud models still run on Apple's own silicon and servers. It's only the Cloud Pro model that touches Google's Nvidia infrastructure.

How Apple Secures Third-Party Hardware

To make this work without compromising its privacy stance, Apple built PCC 2.0 around three security primitives: Nvidia's Confidential Computing, Intel's Trust Domain Extensions, and Google's Titan security chip. These layers provide protection comparable to what Apple's own servers deliver. But the real cryptographic muscle comes from an "append-only ledger of all Google Cloud hardware that is part of the PCC fleet"—a tamper-proof record Apple devices can verify before trusting any server response. The signing key is what matters here: only software signed by Apple gets execution privileges on these distributed cloud nodes. Google provides the real estate and the GPUs, but Apple holds the keys to the kingdom—and that's not changing with this partnership.

Key Takeaways

  • AFM 3 Core Advanced requires at least 12GB RAM (M3+/M4+ chips or A19 Pro only)
  • Only AFM 3 Cloud Pro touches Google's Nvidia hardware; general and image models stay on Apple silicon
  • Apple's PCC fleet uses cryptographic verification before trusting any cloud response
  • Third-party hardware runs only Apple-signed code—no exceptions

The Bottom Line

Let's be real: this is Apple doing what Apple does best—building a walled garden that looks open from the outside. Google gets to tout an AI partnership with the world's most valuable consumer tech company, Apple gets access to capable cloud inference without owning the data centers, and users get privacy theater that might actually work if you trust Apple's cryptographic assertions. Whether that's enough depends on whether you believe Google's Titan chips plus Apple's ledger add up to "no Google system." Federighi clearly does.