Quantifying observable privacy in differentially private generative models under black-box access

Black-box access to synthetic data generated by differentially private (DP) models often exhibits much weaker membership inference leakage than suggested by worst-case DP accounting. We study this gap from a test-centric f-DP perspective, focusing on privacy observable through a fixed black-box interface rather than on strengthening formal DP budgets. On the training side, we show that DP–SGD induces function-level stability that is better captured by loss-path kernels than by parameter proximity. On the sampling side, the high-dimensional latent randomness used by modern generators yields approximate Gaussian behavior, enabling a Gaussian surrogate analysis of distinguishability. Combining these ingredients yields an effective signal parameter with small, quantifiable slack. The resulting envelopes characterize how black-box distinguishability decreases with dataset size and effective latent dimension, and grows only sublinearly across multiple releases, while leaving the underlying DP guarantees unchanged. Simulations and empirical tests confirm these trends and match observed attack performance, suggesting that the framework provides a conservative and interpretable tool for post-hoc auditing of DP-trained generative models under realistic black-box access.