Follow the cryptographic attestations. If your threat model can't tolerate that, local AI is the most private.
Discussion
The problem is that currently, it is not much different than trust me bro, unless reproducible builds of the full backend image are possible.