I can't actually think of a good reason that the law should prohibit a company from having the option to automatically scan private messages for CSAM. Can you?
Certain implementations may fall afoul of data protection laws however.
A good reason might be that you don't want your private messages to be scanned by any third party in a conversation...
Because they shouldn't be scanning private messages indiscriminately no matter for what. Lets rephrase it and look at it from "private companies will scan their users private messages for evidence of crimes and report people to police." Where is the limit here? I think it is naive to assume this will stop at csam and will soon be used as a judicial bludgen to extort random citizens for petty crimes that in any other case nobody would ever care or know about.