Federated learning transmits only model updates to protect client data, and differentially private SGD (DP-SGD) bounds content-level leakage through those updates. Neither mechanism accounts for what the communication topology of the federation itself reveals. In cross-silo deployments, a passive adversary with knowledge of the topology and organisational structure has access to information channels that DP-SGD leaves entirely unaddressed. We formalise this threat and derive a principled defense. We introduce TADI (Topology-Aware Distributional Inference), a shadow-trained channel decomposition that isolates per-client leakage into parameter, structural, and organisational components via four channel ablations, and prove an additive per-client mutual-information bound separating a controllable mechanism term from an uncontrollable prior-coupling floor. From this bound we derive Fulcrum, a closed-form balanced min-max optimal noise allocation that strictly dominates uniform DP-SGD whenever the federation's leverage profile is asymmetric, and degenerates exactly to uniform DP-SGD when it is not, making it safe to adopt unconditionally. Evaluated on Fed-ISIC2019, Fed-Heart-Disease, and synthetic CIFAR-10 across six topology families, Fulcrum delivers privacy gains of up to 1.967 nats at no measurable utility cost. The TADI channel decomposition confirms that the parameter channel is bounded by DP-SGD across all settings, the prior-coupling channel is empirically attained under matched-prior conditions, and the bound is conservative in a deployment-favourable direction under realistic cross-silo threat models.

翻译：联邦学习仅传输模型更新以保护客户端数据，而差分隐私随机梯度下降（DP-SGD）通过约束这些更新的内容级泄露来保障隐私。然而，这两种机制均未考虑联邦通信拓扑结构本身所暴露的信息。在跨组织部署场景中，具备拓扑与组织架构知识的被动攻击者能够利用信息通道，而这些通道完全未被DP-SGD覆盖。我们形式化描述了这一威胁，并推导出原则性的防御方案。我们提出TADI（拓扑感知分布推断），一种通过四种通道消融实验将每个客户端泄露分解为参数、结构和组织成分的阴影训练通道分解方法，并证明了可加性每客户端互信息界——该界将可控机制项与不可控先验耦合下限区分开来。基于此界我们导出Fulcrum——一种闭式平衡极小极大最优噪声分配策略，当联邦杠杆分布不对称时严格优于均匀DP-SGD，在对称时则完全退化为均匀DP-SGD，使其可无条件安全采用。在Fed-ISIC2019、Fed-Heart-Disease及合成CIFAR-10数据集上，针对六种拓扑族进行的评估表明，Fulcrum在无显著效用损失下实现高达1.967纳特的隐私增益。TADI通道分解证实：参数通道在所有设置下均受DP-SGD约束，先验耦合通道在匹配先验条件下被经验性达成，且该界在现实跨组织威胁模型下沿部署有利方向保持保守性。