← Writing
#on-device#privacy#gemma

On-device LLMs make privacy a feature, not a promise

When the model never leaves the device, 'we don't store your data' stops being a policy and becomes an architecture.

Most privacy claims are promises: we won’t look, we won’t sell, we’ll delete it later. They rely on trust because the data still leaves your device. On-device inference changes the shape of the claim — the sensitive data physically never goes anywhere, so there’s nothing to promise about.

What actually gets easier

Running the model locally isn’t just a compliance win. Several hard problems quietly disappear:

  • No round-trip latency. The model responds at the speed of local compute, not the speed of the network.
  • Works offline. Care, safety, and accessibility tools can’t depend on a signal that isn’t there.
  • No per-token cost. Inference is “free” after the device is bought, which changes what you can afford to run continuously.

What actually gets harder

It’s not a free lunch:

  • Small models are genuinely smaller. You design around a 2–4B model’s limits instead of assuming a frontier model will cover for you.
  • Quantization, memory, and thermals become product constraints, not backend details.
  • Updates ship to hardware you don’t control.

Design for the edge, not despite it

The projects where on-device wins hardest are the ones where the constraint is the point: a companion for someone with Alzheimer’s that must work offline, a safety monitor that must never stream video, a placement engine that must never see who’s watching. In each, “on-device” isn’t a limitation to apologize for — it’s the whole pitch.

This is a starter post — replace it with your own writing.