> is it possible that the "ad profiling" can still take place on the client
I believe this is the future in a GDPR world. The server sends a list to the client of 1000 ads, and the client decides which to show based on all the data available locally and a big local neural network model to decide which you're most likely to click.
IIUC the Brave browser is already experimenting with this model. They promise[0] "privacy-preserving" ads to users AND targeting to advertisers:
"...when a Brave Ad is matched to you, it is done on your own device, by your own device, inside Brave itself. Your personal data never leaves your own device."
The mechanism is very similar to what you describe.
The problem is that the 'secret sauce' of ad targeting is that model that decides what you're most likely to click... Ad networks really don't want that model outside their data centers...
Alas, the GDPR might force a rethink on that when it gets enforced with teeth.
I believe this is the future in a GDPR world. The server sends a list to the client of 1000 ads, and the client decides which to show based on all the data available locally and a big local neural network model to decide which you're most likely to click.