This work addresses the challenge of controlling posterior privacy leakage in metric-based local differential privacy (mDP) under joint consumption scenarios, where evidence aggregation and cross-record correlations exacerbate inference risks. The authors propose a novel posterior leakage metric, mPL, aligned with an adversary’s objective, and introduce the Probabilistically Bounded mPL (PBmPL) framework. PBmPL dynamically balances privacy and utility under joint observations through adaptive perturbation and a neural auditing mechanism. It is the first approach to formalize posterior odds shift as a verifiable and certifiable privacy guarantee, integrating Bayesian remapping with neural-network-based adversary modeling for end-to-end joint privacy control. Experiments on word embedding tasks demonstrate that PBmPL substantially reduces high mPL violation rates while incurring minimal utility loss, confirming its effectiveness and practicality.

Metric differential privacy (mDP) strengthens local differential privacy (LDP) by scaling noise to semantic distance, but many machine learning (ML) systems are consumed under joint observation, where model-agnostic, per-record guarantees can miss leakage from evidence aggregation. We introduce metric-normalized posterior leakage (mPL), an attacker-aligned, distance-calibrated measure of posterior-odds shift induced by releases, and show that for single or independent releases, uniformly bounding mPL is equivalent to mDP. Under joint observation, however, satisfying mDP may still leave mPL high because learned aggregators compound evidence across correlated items. To make control practical, we formalize probabilistically bounded mPL (PBmPL), which limits how often mPL may exceed a target budget, and we operationalize it via Adaptive mPL (AmPL), a trust-and-verify framework that perturbs, audits with a learned attacker, and adapts parameters (with optional Bayesian remapping) to balance privacy and utility. In a word-embedding case study, neural adversaries violate mPL under joint consumption despite per-record mDP perturbations, whereas AmPL substantially lowers the frequency of such violations with low utility loss, indicating PBmPL as a practical, certifiable protection for joint-consumption settings.