This is one of the concerns in the OP, have an AI generate millions of variations of a certain kind of images and check the hashes. In this case it boils down to how common false positives neural hashes are.
> The proposed attack on Apple's protocol doesn't work.
With all due respect, I think you may have misunderstood the proposed attack @jonathanmayer, as what @jobigoud said is correct.
This is one of the concerns in the OP, have an AI generate millions of variations of a certain kind of images and check the hashes. In this case it boils down to how common false positives neural hashes are.