Hybrid local--cloud agents enrich user requests with context from persistent working state before delegating capability-intensive subtasks to a cloud language model (CLM). While this enrichment can improve task success, it also exposes unnecessary information in the cloud-bound payload, including task-irrelevant context, carryover from prior workflows, and overly specific sensitive details, resulting in \emph{over-disclosure}. Existing solutions either isolate workflows to limit cross-workflow leakage or apply general-purpose sanitization that does not reason over LC-assembled payload scope. We present \textsc{PrivScope}, a trusted on-device payload governor that enforces \emph{task-scoped disclosure} at the local--CLM boundary, without requiring cloud-side changes. Its key idea: sensitive information should reach the cloud only when required for the delegated subtask, and then only in the least revealing form preserving utility. \textsc{PrivScope} extracts disclosure units from the assembled payload and keeps direct identifiers and account-linked values on device. The remaining units pass through cloud-necessity control, which determines what is actually needed; units that must reach the cloud are abstracted to the least-specific representation sufficient for the task. On 100 medical-booking workflows across three commercial CLMs, \textsc{PrivScope} eliminates profile leakage (0.0\% vs.\ 17.7\%), more than halves attacker re-identification (23.1\% vs.\ 64.3\%), and achieves the highest candidate recall on every CLM tested while preserving task success close to the unprotected baseline on GPT-4o-mini and Gemini 2.5 Flash. Gains hold across five local backbones and add only seconds of on-device latency on commodity hardware.

翻译：[translated abstract in Chinese] 混合本地-云端智能体在将能力密集型子任务委托给云端语言模型（CLM）之前，会利用持久工作状态中的上下文信息对用户请求进行丰富。虽然这种丰富化能提升任务成功率，但也会在发往云端的负载中暴露不必要的信息，包括与任务无关的上下文、先前工作流遗留内容以及过度具体的敏感细节，从而导致信息过曝。现有解决方案要么隔离工作流以限制跨工作流泄漏，要么应用不针对本地组装的负载范围进行推理的通用净化处理。本文提出PrivScope，一种受信任的设备端负载管控器，它在本地-CLM边界上强制执行基于任务范围的信息披露，无需云端侧做出任何更改。其核心思想是：敏感信息仅在委托子任务必需时才能到达云端，并且必须采用既能保留效用又尽可能少暴露的形式。PrivScope从组装好的负载中提取信息披露单元，将直接标识符和账户关联值保留在设备端。剩余单元通过云端必要性控制，确定实际所需信息；必须发送至云端的单元会被抽象为足以完成任务的最高层级表示。在三种商用CLM上对100个医疗预约工作流进行的测试表明，PrivScope将配置文件泄漏率降至0.0%（对比基线17.7%），将攻击者重识别率降低过半（23.1%对比64.3%），并且在所有测试CLM上均取得最高候选召回率，同时在GPT-4o-mini和Gemini 2.5 Flash上保持了与无保护基线相近的任务成功率。上述增益在五种本地骨干模型上均保持稳定，且仅在商用硬件上增加数秒设备端延迟。