The Online Safety Act has been subject to changes for quite considerable time. Here’s a law firm’s summary:
https://www.allenovery.com/en-gb/global/blogs/tech-talk/the-online-safety-act-is-finally-here-businesses-now-turn-to-implementation-questions
Specially they talk about services hosting illegal content (ie social media etc). On E2EE they say:
Further powers for Ofcom to tackle harms caused by messages sent via end-to-end encryption. Controversially, the OSA would give Ofcom the power to require service providers to deploy accredited technology to address terrorism and Child Sexual Exploitation and Abuse (CSEA) content and/or develop and source technology to tackle CSEA content. This could include measures addressed to end-to-end encryption. In September 2023, the Government stated that service providers will not be required to scan encrypted messages until it is “technically feasible and where technology has been accredited as meeting minimum standards of accuracy in detecting only child sexual abuse and exploitation content”, although this is not in the OSA itself.
Which implies those conditions will never actually be fulfilled, although that is up to the government to decide upon (ie it leaves open the door to future idiocy).
I don’t see anything about on device scanning: for Apple it was about scanning iCloud, which is, as a cloud service, arguably a publisher under Apple’s control. I can’t see how anything on your phone is under anyone’s control but your own.