The list of hashes is confidential. Good luck getting NCMEC to sign off on an implementation which lets clients infer which photos are matching their database.
The database is embedded into iOS. There are at least three primary sources which say that users will not receive different databases, and it should be easily confirmed.
I am well aware but that is exactly the point. If Apple can't provide an accountable implementation they should not implement this at all. This should be table stakes that all users should demand, at a minimum.
Otherwise there is no way to detect if the system is abused to target lawful activities.
The fancy crypto in the system isn't there to protect the user, it's to guard the system's implementer(s) against accountability. It protects Apple's privacy, not yours.
The database is embedded into iOS. There are at least three primary sources which say that users will not receive different databases, and it should be easily confirmed.