Neural networks’ memorization of training data may cause privacy leakage, yet existing reconstruction attacks lack theoretical foundations for effectiveness in the absence of prior knowledge about the data. Method: We first rigorously prove that, without data priors, reconstruction solutions are non-unique and statistically unreliable—challenging the prevailing belief that strong implicit bias inherently exacerbates leakage. Leveraging the margin-maximization property of implicit bias, we design theory-driven controlled experiments to systematically analyze the relationship between training progress and reconstruction success. Results: Empirical evidence shows that exact sample reconstruction is merely incidental, and continued training significantly suppresses reconstruction risk. This work establishes, for the first time, a theoretical unreliability boundary for prior-free reconstruction, offering a novel paradigm for understanding the intrinsic relationship between memorization and privacy leakage.

The memorization of training data by neural networks raises pressing concerns for privacy and security. Recent work has shown that, under certain conditions, portions of the training set can be reconstructed directly from model parameters. Some of these methods exploit implicit bias toward margin maximization, suggesting that properties often regarded as beneficial for generalization may actually compromise privacy. Yet despite striking empirical demonstrations, the reliability of these attacks remains poorly understood and lacks a solid theoretical foundation. In this work, we take a complementary perspective: rather than designing stronger attacks, we analyze the inherent weaknesses and limitations of existing reconstruction methods and identify conditions under which they fail. We rigorously prove that, without incorporating prior knowledge about the data, there exist infinitely many alternative solutions that may lie arbitrarily far from the true training set, rendering reconstruction fundamentally unreliable. Empirically, we further demonstrate that exact duplication of training examples occurs only by chance. Our results refine the theoretical understanding of when training set leakage is possible and offer new insights into mitigating reconstruction attacks. Remarkably, we demonstrate that networks trained more extensively, and therefore satisfying implicit bias conditions more strongly -- are, in fact, less susceptible to reconstruction attacks, reconciling privacy with the need for strong generalization in this setting.