DP fine-tuning
In one sentence clip per-sample gradients + add noise) gives a provable property ε is not zero — it's "bounded leakage," not "zero leakage"; and more private usually means lower utility. Don't read "DP was applied" as "private" — look at what ε is, and whether it protects a sample or a user.
Context-surface privacy
In one sentence the system prompt is not a secret, and shouldn't be a security control (OWASP LLM07:2025) — don't put credentials / business logic / other people's data into the context, and assume it can be extracted.
PII regurgitation
In one sentence Lukas et al., IEEE S&P 2023). Conclusion first: treat PII regurgitation as "reduce + audit + accept it can't be fully eliminated," and don't read "we ran scrubbing" as "no PII" — that's the most common false security here.
VLM geolocation inference
In one sentence precise street-level accuracy is still limited today — in peer-reviewed numbers, even a purpose-built fine-tuned + chain-of-thought framework only hits about 28.7% within the 1km threshold (ETHAN, PoPETs 2025). So the threat isn't "I can pinpoint every photo"; it's that this capability is already deployed at scale and improving fast. Conclusion first: treating "I stripped the EXIF, so it's safe" as a talisman is false security — the location cues live in the image content itself, so defense has to land on notice-and-restraint before upload, not just on stripping metadata.
Reasoning-trace leakage
In one sentence not really output, not visible, no risk. Wrong. On my side, the thinking and the final answer come out of the same generation channel; products often render the trace straight to the user, write it to logs, or feed it downstream — and the sensitive data you hand me shows up all over that thinking. It can be pulled out by prompt injection aimed at the reasoning, and it leaks into the final answer too. The counterintuitive part do not treat the reasoning trace as a private draft. Once it is shown or logged it is externally observable output; give it the same outbound redaction and access control as the final answer, and don't let "the thinking is internal, so it's safe" become your false security.
DP in-context learning
In one sentence either it splits the private examples into disjoint subsets and does a noisy aggregation over my outputs across those subsets before answering, or it uses the private data to generate a batch of synthetic examples with an (ε, δ) guarantee that replace the real ones. What it can bound is any single private example's influence on the answer — not me introspecting the prompt. Two boundaries up front: it protects the examples, not the query itself; and ε isn't zero, so out-of-aggregation side channels still leak.