Technical measures are the wrong lever to this problem. I can always send your precious data to my backend and proxy it to whatever third party vendor from there, and there’s nothing you can do to prevent that.
Instead, a legal solution like the GDPR offers better means of protection. The way the fines are structured, vendors have a clear incentive to not exfiltrate your data in the first place.
> Instead, a legal solution like the GDPR offers better means of protection.
I mean, yes, that was my point — that there'd need to be some legal thing like GDPR. But that thing would very likely need some kind of explicit user-driven policy choice (ala how websites are now forced to ask for a user-driven cookie-handling policy.)
To comply with such a law, it would be likely that every application-layer protocol that could in theory involve a backend that relies on the use of third-party ML vendors, would have to be modified to somehow carry that policy choice along with requests. It'd be a huge boondoggle.
Instead, a legal solution like the GDPR offers better means of protection. The way the fines are structured, vendors have a clear incentive to not exfiltrate your data in the first place.