Google would not need to store call metadata to enable this feature. Caller ID would just need to compare an incoming number against a known spammer database. Call metadata for a specific phone need not be stored, just compared in real time.
If you're using Caller ID in the Google Phone app, you're already sending the incoming number to Google for identification. You are free, of course, to turn that off and I bet this spam warning would be disabled as well.
Granted, I have no inside knowledge of how this feature is implemented, but I'm guessing you don't either. I just don't see why it has to be implemented the way you think it is.