This work addresses the lack of a systematic evaluation framework in existing membership inference attack (MIA) research, which hinders accurate characterization of privacy risks in real-world scenarios. The paper proposes the first end-to-end MIA evaluation framework encompassing data, model architectures, training algorithms, and post-training modules. Under a unified formal threat model, it introduces multidimensional metrics—such as balanced accuracy and true positive rate at low false positive rates—to accommodate both symmetric and asymmetric misclassification costs. Through large-scale empirical analysis across diverse configurations, the study reveals the strong dependence of MIA performance on the choice of threat model and evaluation metrics, leading to practical guidelines for privacy assessment. An open-source, ready-to-use auditing toolkit is released to significantly enhance the reliability and reproducibility of privacy risk evaluations in real-world deployments.

While Membership Inference Attacks (MIAs) are the prevailing method for identifying training data, their application has expanded into privacy auditing and machine unlearning. Nevertheless, the field lacks a systematic framework for evaluating how different contexts affect MIA efficacy. Without such a characterization, practitioners risk deploying algorithms that perform well on benchmarks but become statistically irrelevant when faced with the nuances of specific, real-world datasets. To bridge this gap and provide actionable insights, we introduce a comprehensive evaluation framework that systematically characterizes privacy risks across the entire machine learning pipeline, spanning data, architectures, algorithms, and post-training modules. Designed to inherently capture diverse operational contexts, our framework rigorously evaluates state-of-the-art MIAs across a broad spectrum of training configurations. To account for varying misclassification costs in real-world deployments, we employ three complementary metrics: Balanced Accuracy for symmetric costs, alongside TPR at low FPR (or TNR at low FNR) for asymmetric scenarios where false alarms or missed detections are strictly penalized. Furthermore, recognizing that existing MIAs assume divergent adversary capabilities, we formalize two standardized threat models and adapt these attacks into corresponding variants to ensure an equitable benchmark. Extensive empirical evaluations demonstrate that the efficacy of specific MIA methodologies is highly sensitive to the assumed threat models and chosen evaluation metrics. Ultimately, we distill these findings into actionable guidelines and provide a ready-to-use auditing toolkit, empowering practitioners to conduct better privacy assessments.