"What happens on your iPhone stays on your iPhone" can't be literally true or else your phone wouldn't be able to communicate with any other devices. There is therefore an implicit exception for data that you choose to send elsewhere. As I said, Apple was only planning to scan photos you were sending to iCloud. Therefore these are already files that you agreed to send off your device and they shouldn't be assumed to be covered by that marketing slogan as you are the one choosing to contradict it.
You want "What happens on your iPhone to stay on your iPhone"? Turn off iCloud.
Are you asking for the out of the box default to be that your iPhone can't send an email or iMessage because that wouldn't "stay on your iPhone" either?
The marketing speak is marketing speak and obviously not literal.
Sending the email and messages is what the user does.
Auto-sending all your photos to a server owned by someone else (and without end-to-end encryption!) by default cannot be described as "what happens on your iPhone stays on your iPhone" in my opinion.
It has been a while since I have setup an iDevice from scratch. Isn't there a prompt during setup that asks the user whether to enable this iCloud backup? I believe you can even setup devices without entering an Apple ID at all. Wouldn't that make this scanning also a response to something the user does?
I don't know the answer, but regardless, any non-technical user will simply not understand the implications of using "the cloud". They don't know that there is no cloud, just other people's computers and that Apple has access to all photos. I really doubt it's explained well during the setup.
You want "What happens on your iPhone to stay on your iPhone"? Turn off iCloud.