This is incorrect, at least in theory. RAPPOR is designed to protect the user's data even if an attacker can see all of their individual responses over time. Of course, there could be implementation issues...

Do you? Excuse my ignorance, but I thought there was a way to locally mangle the data before submitting. Is that not what apple is doing?

For the case of RAPPOR (and for what Apple is doing), you do not need to trust the aggregator with your data. These algorithms operate in the "local" model of differential privacy, where all privatization occurs on the users' local machines before being sent to the aggregator.

>Is that not what apple is doing?

I don't know, is it? How would I check, if I consider apple an untrusted actor?