Gradient inversion attacks (GIAs) in federated learning (FL) pose severe privacy threats by reconstructing clients’ private training data from shared gradients. Method: This work systematically characterizes GIA threat models under practical constraints and introduces the first taxonomy—optimization-based (OP-GIA), generative, and analytical GIAs—evaluated across diverse FL frameworks via large-scale experiments. It identifies OP-GIA as the most realistic and effective variant. To counter this, the paper proposes a lightweight, three-stage defense pipeline tailored for FL systems, designed to preserve model utility while substantially enhancing robustness against GIAs. Contribution/Results: The study establishes empirical performance boundaries for all three GIA classes, successfully reproduces OP-GIA in realistic FL deployments, and provides a deployable privacy–utility trade-off framework. It further outlines a collaborative attack–defense research roadmap, advancing both theoretical understanding and practical mitigation of gradient-based privacy leakage in FL.

Federated Learning (FL) has emerged as a promising privacy-preserving collaborative model training paradigm without sharing raw data. However, recent studies have revealed that private information can still be leaked through shared gradient information and attacked by Gradient Inversion Attacks (GIA). While many GIA methods have been proposed, a detailed analysis, evaluation, and summary of these methods are still lacking. Although various survey papers summarize existing privacy attacks in FL, few studies have conducted extensive experiments to unveil the effectiveness of GIA and their associated limiting factors in this context. To fill this gap, we first undertake a systematic review of GIA and categorize existing methods into three types, i.e., extit{optimization-based} GIA (OP-GIA), extit{generation-based} GIA (GEN-GIA), and extit{analytics-based} GIA (ANA-GIA). Then, we comprehensively analyze and evaluate the three types of GIA in FL, providing insights into the factors that influence their performance, practicality, and potential threats. Our findings indicate that OP-GIA is the most practical attack setting despite its unsatisfactory performance, while GEN-GIA has many dependencies and ANA-GIA is easily detectable, making them both impractical. Finally, we offer a three-stage defense pipeline to users when designing FL frameworks and protocols for better privacy protection and share some future research directions from the perspectives of attackers and defenders that we believe should be pursued. We hope that our study can help researchers design more robust FL frameworks to defend against these attacks.