LOCAL_AI_STACK
LOCAL_AI_STACK / guides / local-ai-privacy-risks
15 min readv2.2 · 2026-06-12
← back to guidesOfficial documentation reviewed with caveats

Local AI Privacy: What Really Stays Local

Running an AI model locally can improve privacy, but it does not make your workflow private by itself. If the model weights are on your machine and inference happens on your own CPU or GPU through a localhost tool such as Ollama, LM Studio, or llama.cpp, the prompt and output can stay on-device. But documents, embeddings, chat history, browser storage, extensions, logs, sync folders, web search, plugins, remote providers, cloud-tagged models, and servers bound beyond localhost can still move data off the box or expose it to other machines.

Open WebUI is a good example: it can run offline, but it also supports external APIs, direct browser connections, web search, cloud storage, and plugins. The practical rule is simple: local inference is only one layer; privacy depends on the whole workflow and on verifying every data path.

What local AI means and what stays local

"Local AI" is often used loosely. In a strict privacy sense, it should mean at least three things: the model files are stored locally, inference runs on local hardware, and your application is sending requests to a local endpoint such as localhost or 127.0.0.1, not to a remote API. Ollama states that it runs locally and that it does not see prompts or data when you run locally. LM Studio states that, once models are on your machine, chatting with models and documents can work entirely offline and that nothing entered into the app leaves the device in those local workflows. llama.cpp's server defaults to 127.0.0.1, which is the loopback address rather than a network-facing bind.

What stays local when that strict definition is met depends on the stack, but it usually includes the model weights, the prompt, the generated output, and any embeddings that are generated by a local embedding model and written to a local vector store. Ollama's embeddings examples point to a local endpoint on http://localhost:11434, and LM Studio's OpenAI-compatible examples point clients at http://localhost:1234/v1 instead of remote OpenAI servers.

A local app is not the same thing as local inference. Open WebUI explicitly supports both self-hosted inference and managed APIs such as OpenAI, Anthropic, Azure OpenAI, and Google Gemini. Its homepage describes it as provider-agnostic and able to operate offline, but its feature pages also document direct cloud integrations, web search, tools, and cloud storage.

The cleanest operational test is simple. If you disconnect the machine from the internet and the same model, documents, and UI still work, you are much closer to true local inference. LM Studio documents that core chat, document chat, and the local server do not require internet once models are already present. Open WebUI, by contrast, documents that OFFLINE_MODE disables update checks and automatic model downloads, but external LLM connections, OAuth providers, and web search or RAG with external APIs can still remain functional unless you remove those connections too.

Local model does not automatically mean private workflow

A local model does not automatically create a private workflow because other layers can still send, store, sync, or expose data. The most common mistake is to verify only the inference engine and ignore the surrounding UI, browser, storage paths, update logic, web search, providers, extensions, and network binding.

RiskWhere it appearsHow to checkMitigation
Cloud-tagged or remote modelOllama cloud models, Open WebUI provider connections, any client pointed at a remote base URLCheck model names for cloud tags, check provider settings, and confirm the client base URL is localhost or 127.0.0.1.Prefer explicit local models, point clients only to localhost, and disable Ollama cloud with OLLAMA_NO_CLOUD=1.
Direct browser-to-provider connectionsOpen WebUI Direct ConnectionsCheck whether Direct Connections are enabled in Admin settings.Turn the feature off for local-only use.
Web search, tools, plugins, or MCPOpen WebUI web search, Tools, Functions, MCP; Ollama web searchReview installed Tools and Functions, web search settings, MCP servers.Disable web search, disable untrusted plugins, prefer SAFE_MODE.
Server exposed beyond localhostOllama, LM Studio, llama.cpp, reverse proxies and tunnelsCheck bind address, port, reverse proxy config, and listening sockets.Keep binds on loopback, deny unnecessary firewall exceptions, and enable auth before any network exposure.
Browser persistence and extensionsBrowser UIs, browser extensionsInspect site data, browser profile settings, and extension permissions.Use a separate browser profile, limit extensions, and clear site data when needed.
Sync folders and cloud storageiCloud Drive, OneDrive, Google Drive, Dropbox, Open WebUI object storageCheck whether your working directory, exports, or app data live inside synced folders.Keep sensitive AI data outside synced folders.
RAG indexes and embeddingsVector databases, embedding engines, Knowledge BasesCheck which embedding engine is used and where the vector DB lives.Use local embedding models, local vector stores, and treat embeddings as sensitive data.
Logs, history, archives, and exportsLM Studio, Ollama, Open WebUI, browser consoleCheck chat export features, archive/history screens, filesystem paths, and logging settings.Minimize retention, delete exports after use, and store app data in controlled local paths.

A useful local-only checklist:

  • Use only local model identifiers and localhost endpoints.
  • Disable cloud features and web search unless you have intentionally approved them.
  • Keep inference servers on loopback only.
  • Turn on authentication before exposing anything to the local network.
  • Run sensitive workflows in a clean browser profile with minimal extensions.
  • Keep app data, document folders, exports, and vector stores outside iCloud Drive, OneDrive, Google Drive, Dropbox, or any corporate sync agent.
  • Review whether RAG is creating embeddings locally or through a remote embedding API.
  • Review logs and archives, not just chat windows.
  • Test the workflow with the internet disconnected and inspect listening ports before trusting it with sensitive documents.

Claims a local AI site should avoid:

  • "Local AI is private by default."
  • "Nothing ever leaves your machine."
  • "Embeddings are anonymized."
  • "Browser-based local AI never leaves traces."
  • "A local setup is automatically suitable for HIPAA, legal privilege, HR, finance, or defense use."

Those claims are too broad for the documented behavior of current tools and for the threat models that official security guidance expects organizations to evaluate.

Document chat, RAG, embeddings, and file indexing

Document chat changes the privacy analysis because you are no longer handling just prompts and outputs. You are also handling uploaded source files, extracted text, chunked text, embeddings, document metadata, and a retrieval index. Ollama's embeddings docs describe embeddings as numeric vectors you can store in a vector database for search and RAG. Open WebUI's Knowledge and RAG docs describe both vector search and full-content injection, while its File Management docs explain that uploaded files can live in chats or Knowledge Bases and carry metadata such as content type, filename, size, and upload date.

LM Studio makes the distinction especially clear. If a document is short enough to fit in the model's context, LM Studio may add the file contents to the conversation in full. If the document is long, LM Studio falls back to RAG and retrieves relevant portions instead. From a privacy standpoint, both modes can remain local if the model and retrieval stack are local, but both modes also create additional places where document content can persist.

Open WebUI's scaled deployment guidance shows how privacy can change as soon as you move beyond a single-machine setup. The docs state that scaled deployments often replace the default local ChromaDB backend with PGVector, Milvus, Qdrant, or ChromaDB in HTTP server mode, and may switch the embedding engine to the OpenAI Embeddings API. That is exactly the kind of architecture shift that breaks simplistic "local AI is private" messaging: the inference model may still be local while the retrieval or embedding layer is no longer fully local.

Delete behavior matters too. Open WebUI documents that deleting a file through its File Manager performs "deep cleanup," removing the file from associated Knowledge Bases and deleting the corresponding vector embeddings. If your tool has no clear deletion path for indexed files and embeddings, privacy promises are weaker because artifacts tend to outlive the visible chat.

The biggest misconception in this area is that embeddings are "safe because they are just vectors." That is not a good assumption. A 2023 paper, *Text Embeddings Reveal (Almost) As Much As Text*, showed that short texts could often be reconstructed with very high fidelity from embeddings and that important personal information such as full names could be recovered in clinical-note experiments. For practical privacy design, embeddings should be treated as sensitive derived data, not as reliable anonymization.

Logs, history, local storage, and sync folders

A workflow can be "local" and still leak privacy through persistence. LM Studio documents that conversations are stored in JSON format on disk and that lms log stream can show the exact strings sent to and received from models. Ollama also has explicit local storage and logging paths: on macOS, models and logs live in ~/.ollama; on Windows, under %LOCALAPPDATA%\Ollama.

Open WebUI is even more obviously stateful. It documents export and import of chats, including all chat messages, metadata, model information, and timestamps. It documents that archived chats remain in the database until permanently deleted. In short, Open WebUI can absolutely be part of a private workflow, but only if you manage what it stores, what it logs, and what your deployment backs up.

Browser-based UIs add another layer. localStorage persists across browser sessions and IndexedDB can store significant amounts of structured data, including files and blobs, on the client side. Chrome extension data can persist even if browsing history is cleared, and chrome.storage.sync can synchronize data across signed-in Chrome browsers.

Sync folders are the most common silent failure mode. Apple documents that Desktop and Documents can be stored in iCloud Drive and synced across devices. Microsoft documents OneDrive backup for Desktop and Documents. Google documents that Drive for desktop sync means uploading files from the computer's hard drive so cloud and local copies match. If your AI working directory, exported chats, vector DB, or data directory sits under one of those sync roots, your "local-only" claim is no longer accurate.

Network access, browser UIs, and firewall checks

The first network question is not "does the model run locally?" It is "who can reach the inference server?" Ollama documents that it binds to 127.0.0.1:11434 by default, but also shows how to change OLLAMA_HOST, expose it through a proxy, and even reach it through ngrok or Cloudflare Tunnel. LM Studio's local server defaults to http://localhost:1234, but its docs also warn that any bind other than 127.0.0.1 exposes the server beyond localhost and recommend authentication. llama.cpp's server defaults to 127.0.0.1 on port 8080, but its Docker examples expose 0.0.0.0.

The second network question is whether the browser is talking only to localhost. Open WebUI's Direct Connections feature explicitly lets the browser communicate directly with an API provider, bypassing the backend. For privacy-sensitive workflows, browser convenience features deserve the same scrutiny as model providers.

Firewall checks are still worth doing even on a single machine. Apple documents that macOS Firewall prevents unwanted incoming connections. Microsoft documents that allowing apps or opening ports through Windows Firewall creates risk. Microsoft also documents netstat for listing listening ports and the process ID that owns them. If something unexpected is listening on a network-facing port, that is worth investigating before assuming the workflow is local-only.

Sensitive documents and privacy levels

Not every use case needs the same privacy posture.

Casual privacy. The goal is usually to avoid sending everyday prompts and files to a consumer cloud AI service. A local model, localhost binding, local document chat, and storage outside sync folders are usually enough. LM Studio's offline mode, Ollama's local-only mode, and llama.cpp on loopback meet this level well.

Professional confidentiality. A better fit for legal drafts, HR material, internal product plans, and client memos. Here, local inference is helpful but not enough. You should also care about browser profiles, extensions, retained chat histories, archived conversations, synced folders, unreviewed plugins, and whether the local API is exposed to the network. Open WebUI's own hardening docs emphasize private trusted networks, and its plugin docs warn that Tools and Functions can execute arbitrary Python and exfiltrate data.

Regulated data. At this level, "local" is not a compliance verdict. HHS states that a cloud service provider handling ePHI becomes a business associate and requires a HIPAA-compliant BAA even if it stores only encrypted ePHI without the encryption key. NIST SP 800-171 likewise frames CUI protection around the components that process, store, or transmit the information. So if any part of your local AI workflow uses cloud storage, cloud identity, cloud logging, cloud embeddings, or a remote model, the compliance analysis has to include those systems too.

High-security or offline use. For highly sensitive material, the strongest posture is a truly disconnected or tightly egress-restricted workflow with pre-downloaded models, no direct provider connections, no web search, no sync folders, no remote storage, localhost-only bind addresses, and no unreviewed plugins.

The short version is that local inference helps most at the "minimize third-party exposure" layer. It does not, by itself, answer questions about access control, retention, deletion, legal obligations, backups, or incident response.

Local AI compared with cloud AI

Local AI usually wins on one important point: if the workflow is truly local, there is no inherent need to send prompts, documents, or outputs to a third-party model provider. The tradeoff is that you become responsible for the endpoint itself: filesystem permissions, backups, browser state, sync clients, logs, archives, and listening sockets.

Cloud AI is not automatically "bad privacy," but it is categorically different. Data has to leave the device to reach the provider, and the provider's retention, logging, contractual controls, and regional boundaries matter. OpenAI documents that API inputs and outputs may be retained for up to 30 days in many cases. Anthropic documents both Zero Data Retention for eligible Claude APIs and HIPAA-ready API access with a signed BAA. AWS documents that Amazon Bedrock does not use customer inputs and outputs to train base models and keeps customer content in-region.

"Local versus cloud" is the wrong binary for many teams. The more accurate comparison is "which system has fewer uncontrolled data paths for this specific threat model?" A disciplined cloud setup with contractual controls, retention limits, private connectivity, IAM, and logging may be safer for some organizations than an unmanaged local desktop full of sync agents, extension sprawl, open ports, and permanent chat archives.

FAQ

Is local AI private by default?

No. Local inference improves privacy only if the rest of the workflow is also local and controlled. Cloud models, remote providers, browser-direct connections, logs, sync folders, plugins, and exposed local servers can all undermine privacy.

If I use Open WebUI with OpenAI or Anthropic, is that still local AI?

Not in the strict inference sense. Open WebUI can front both local and remote providers. If it is connected to OpenAI-, Anthropic-, or Gemini-style APIs, the interface may be self-hosted, but the inference is not local.

Do embeddings count as sensitive data?

Yes, they should. Research shows that embeddings can leak substantial information and, in some cases, reconstruct or infer parts of the source text. Treat them like sensitive derived data, not anonymized data.

Can browser extensions or browser storage leak local AI data?

Yes. Browser UIs commonly rely on client-side storage such as localStorage or IndexedDB, and browser extensions can store persistent data or sync it across signed-in browsers.

Is localhost enough, or should I still use a firewall?

localhost is the right default, but you should still verify that nothing is listening on a network-facing address and that you did not allow unnecessary firewall access.

Sometimes, yes, but "local" is not a compliance determination. For regulated or high-duty confidentiality use, you still need controls for storage, deletion, access, backups, plugins, browser state, and any cloud-connected components.

What is the safest practical setup for highly sensitive files?

A pre-downloaded local model, a local embedding model, localhost-only binding, no web search, no remote providers, no sync folders, no cloud storage, no unreviewed plugins, minimal logging, and a disconnected or egress-restricted network is the strongest practical pattern described by current tooling docs.

EVIDENCE
Official documentation reviewed with caveatsreviewed: 2026-05-24
Official documentation reviewed, with caveats
CAVEATS
·Local AI Guide has not independently installed, benchmarked, or audited this workflow.
·Follow official documentation for current commands, requirements, provider settings, and privacy boundaries.
Best Local LLM for 16GB RAMHow to Run Llama Locally