So, Rene Richie summed it up well. This is REALLY straightforward, no "fanboy" talk. Hopefully this should shutdown the silly rhetoric. Of course, I realize it won't... unfortunately some people are here to argue regardless of facts.
- Google and Tencent send Safari hashed prefixes of URLs (websites) known to be malicious. If your device is region-set to most places, you get Google's. If it's region set to mainland China, you get Tencent's. Hash prefixes, while imperfect, were designed to be more general than specific URLs.
- Safari checks any web page you try to go to again the list of hash prefixes. If they match, the page may be malicious.
- At that point, Safari asks Google or Tencent for the full list of URLs that match the hashed prefix.
- Safari then checks the site against the list on device to determine if there's an exact match. So, the specific URL is never sent to Google or Tencent.
- Because Safari is communicating with Google and Tencent, they do see the IP address of the device, and because they have the hash prefix, they do know the general pool to which the site belongs.
- If anyone, at any time, has any concerns about Google or Tencent having that information, they can go to Settings > Safari on iOS or System Preferences > Security on macOS, and toggle fraudulent website warnings off. The downside, of course, is that you might hit a malicious website without warning. So, you need to balance the threats associated with both conditions.