It's really bizarre that the risk isn't more obvious to people. Apple is partnering with foreign countries organizations who will supply CSAM hashes except that there is no way Apple can actually verify this. To do so Apple would be asking these foreign organizations to send them CSAM creating a massive liability. Instead Apple will just be flagging arbitrary file hashes from countries that will absolutely poison the well.