> knowing that CSAM could just get added at any point

CSAM is an abbreviation for "child sexual abuse material", so no, that won't (hopefully) get added without your consent.

The scanning wasn’t to be done by the OS, but by the Photos app uploader, and only if you had iCloud Photo Library turned on. Lots of apps already do telemetry and photo scanning that goes beyond this, as well as nearly every major cloud provider (though Apple seemingly doesn’t scan iCloud photo libraries without a warrant unlike Google and Facebook).

Like a lot of apps, you don’t need to use Photos.app. They didn’t sneak it in without explaining how it worked.

That's why there are self-hosted solutions like NextCloud or home NAS devices.

They also said they're open to opening it up to 3rd parties in the future.