Membership inference
Membership inference (MIA) asks a question that looks harmless but isn't — "was this record in my training set or not." It needs no original text (that's the fundamental difference from training-data extraction), only a yes/no; yet when the "yes" is itself sensitive (e.g. "this person is in a particular disease dataset"), that single bit is the leak. It is the core target differential privacy defends against, and the foundation of a whole chain of privacy attacks — extraction, attribute inference, and more — which is why it leads Volume 1.
Trusted execution environments (TEE)
In one sentence the root of trust is the chip vendor (you trust Intel / AMD / NVIDIA's keys and implementation), and TEEs have been repeatedly broken by microarchitectural side channels (the Foreshadow family). It's the load-bearing wall for Volume 5's "confidential inference," so Volume 1 spells out up front what it does and doesn't guarantee.
Homomorphic encryption / MPC
In one sentence the remote execution environment is not a trust root — security comes from cryptographic assumptions. The cost is being much slower (HE especially), so today they're used in narrow scenarios, and full private LLM inference is still expensive. Volume 1 covers what they guarantee, where the cost is, and how to choose between them and a TEE.
Model extraction & stealing
In one sentence a stolen / cloned model can be attacked offline, repeatedly (membership inference, extraction), amplifying one-time API access into a persistent privacy risk. Conclusion: API access ≠ zero leakage — threat-model "the queries themselves can be used to extract model information."
Model inversion & attribute inference
In one sentence model inversion — using repeated queries + the confidence I emit to rebuild what a class's training sample "looks like" (Fredrikson et al. at CCS 2015 reconstructed recognizable faces from a face-recognition model); and attribute inference — given a person's partial known info + me, inferring their undisclosed sensitive attribute (Fredrikson et al.'s 2014 warfarin-dosing case). Conclusion first: confidence / probability outputs are the fuel, and attribute inference also borrows population-statistics correlations — don't assume "didn't send raw data out" is safe; look at output granularity, whether DP is stacked, and whether a class maps to a single individual.
Property / distribution inference
In one sentence "what fraction of women / a given ethnicity was this model trained on." Ganju et al. (CCS 2018) did exactly this with a meta-classifier the population makeup of a training set can itself be sensitive (trade secret / group privacy) — don't focus only on protecting a single individual; sometimes the attacker doesn't want any one record at all.