This work addresses the insufficient privacy guarantees of differential privacy (DP) image defenses in practical settings. We propose a diffusion-model (DM)-based data reconstruction attack framework that assesses visual privacy risks solely using real-image priors—without requiring access to the target model or training data. Notably, we are the first to repurpose Stable Diffusion as a visual privacy auditing tool, revealing the critical role of image priors in reconstruction success. Empirical evaluation demonstrates that standard DP theoretical bounds severely underestimate actual visual privacy leakage on CIFAR-10 and CelebA. Our contributions include: (1) establishing the first empirical privacy auditing benchmark tailored to visual data; (2) generating interpretable privacy leakage heatmaps that localize vulnerable image regions; and (3) exposing fundamental limitations of DP theoretical guarantees, thereby providing data-driven guidance for selecting DP hyperparameters in vision tasks.

Data reconstruction attacks on machine learning models pose a substantial threat to privacy, potentially leaking sensitive information. Although defending against such attacks using differential privacy (DP) provides theoretical guarantees, determining appropriate DP parameters remains challenging. Current formal guarantees on the success of data reconstruction suffer from overly stringent assumptions regarding adversary knowledge about the target data, particularly in the image domain, raising questions about their real-world applicability. In this work, we empirically investigate this discrepancy by introducing a reconstruction attack based on diffusion models (DMs) that only assumes adversary access to real-world image priors and specifically targets the DP defense. We find that (1) real-world data priors significantly influence reconstruction success, (2) current reconstruction bounds do not model the risk posed by data priors well, and (3) DMs can serve as heuristic auditing tools for visualizing privacy leakage.