The new confidential computing stack keeps prompts hidden even from Apple, Google, and NVIDIA. The protection is narrower than the press release suggests.
Apple, Google, and NVIDIA built an inference stack and then locked themselves out of it. Now they are asking the world to trust that claim. The architecture Apple detailed at WWDC, Private Cloud Compute running on NVIDIA Blackwell GPUs with confidential computing, is moving from Apple's own data centers onto Google Cloud. It is a public bet that the three companies most likely to handle AI requests cannot read them even if they wanted to. The bet is real, and the protection it offers is narrower than the marketing suggests.
The new stack, announced in an NVIDIA blog post on the collaboration, replaces the software-level "trust us" promise of earlier cloud AI with a hardware-rooted one. NVIDIA's Blackwell GPUs bring a hardware-based trusted execution environment (TEE) to the inference path. Inside that TEE, the model and the user's prompt are isolated from the host operating system, the hypervisor, and the cloud operator's administrators. Before any data leaves the device, the client cryptographically verifies that the remote infrastructure matches the firmware and software Apple has published, and that it has not been tampered with. If the check fails, the device refuses to send the request.
That last part is what matters. The traditional cloud AI model assumes whoever runs the server can see what is passing through it. Confidential computing is the engineering response to that assumption: a sealed enclave where even the operator cannot peer inside while a workload is running. Apple, Google, and NVIDIA are now publicly claiming they cannot view user prompts or model responses on this stack, not because of policy, but because the hardware will not let them.
The workloads running on this stack are Apple Foundation Models, the models behind Apple Intelligence, which Apple builds in collaboration with Google using technology from the Gemini family. When an iPhone or Mac decides a request is too heavy to handle locally, the prompt goes to one of these models on PCC. Under the new arrangement, the inference happens on NVIDIA Blackwell silicon inside a TEE, and the same architecture is extending from Apple's own data centers to Google Cloud. The expansion matters: PCC is no longer confined to hardware Apple physically controls.
What does this actually buy a user? Protection against one specific class of risk, and nothing else. Confidential computing protects data while it is being used, the part of the lifecycle where the data would otherwise sit exposed in memory to the host operating system, the hypervisor, and anyone with administrative access. It does not protect against an application-layer vulnerability in the model server, a prompt-injection attack, a malicious model that memorizes and later leaks training data, or a policy decision about which requests the OS routes off-device in the first place. It also shifts the trust anchor. Users are now trusting NVIDIA's supply chain and attestation infrastructure, not just Apple's promise.
The trade is real. The trust anchor moves from a software policy promise to a hardware root of trust, and the entities involved are staking their reputation on the claim that the lockout is genuine. That is a meaningful step for cloud AI privacy, and a careful one, because the guarantee ends precisely where confidential computing ends.