This work addresses the privacy-utility trade-off in prototype-based personalized federated learning, where directly sharing class prototypes risks privacy leakage and existing isotropic Gaussian perturbation methods struggle to balance privacy preservation with representation fidelity. To this end, the authors propose VPDR, a client-side privacy plugin that introduces Variance-adaptive Prototype Perturbation (VPP), which dynamically allocates noise intensity according to dimension-wise class variances. VPDR further incorporates Distillation-guided Clipping Regularization (DCR) to encourage feature norms to adaptively concentrate near the clipping threshold. Evaluated under the local differential privacy framework, the proposed method significantly enhances model utility, outperforms existing perturbation strategies across multiple benchmark domains, and maintains robustness against realistic attacks, thereby achieving a superior privacy-utility trade-off.

Prototype-based Personalized Federated Learning (ProtoPFL) enables efficient multi-domain adaptation by communicating compact class prototypes, but directly sharing them poses privacy risks. A common defense involves per-example $\ell_2$ clipping before prototype computation to bound sensitivity, followed by isotropic Gaussian noise to enforce Local Differential Privacy (LDP). However, Isotropic Gaussian Prototype Perturbation (IGPP) typically over-perturbs discriminative dimensions and struggles to balance the clipping threshold with representation fidelity. In this paper, we propose VPDR, a client-side privacy plug-in that seamlessly integrates into existing ProtoPFLs. Motivated by the observation that dimension-wise class variance reflects discriminability, we introduce Variance-adaptive Prototype Perturbation (VPP), which allocates less noise to discriminative subspaces, preserving semantic separability while ensuring privacy. We further develop Distillation-guided Clipping Regularization (DCR), which enables feature norms to adaptively concentrate near the predefined clipping threshold while maintaining prediction consistency. Theoretical analysis shows that our groupwise mechanism provides privacy guarantees no weaker than the isotropic baseline under the same privacy constraints. Extensive experiments on multi-domain benchmarks demonstrate that VPDR achieves a superior privacy-utility trade-off, outperforming IGPP in personalized federated fine-tuning without sacrificing robustness against realistic attacks.