That sounds reasonable and likely the method. Would you indulge a few more relevant questions? Could that API also know your search term without sharing it? How can we know that the API is not being abused? And, can access to an API like that be shared, or hacked? Are we still at “we don’t look even though we could”?
He was a dragon-man…