Flash applications are run on the client side. Your browser downloads a copy of the SWF file and then runs the AS3 code locally. If you haven't installed a Flash player (or Flash plugin) then your PC will be
incapable of running the game. Therefore the server will simply show you an error message and advise you to install the appropriate Flash software.
If a SWF file is hosted on a website, then the Flash application will sometimes have limited access to the web server's filesystem. This access allows the Flash experience to include things (such as sound effects and video clips) which don't exist on your local PC. The most obvious example is a Flash "video player" which
allows the user to
watch a movie, but which
prevents the user from easily
downloading an intact copy of the MP4 source file.
When you submit a local file (such as a PNG hairstyle) to a web-hosted SDT game, the file is loaded
into the SWF (i.e. the temporary file which exists on your PC). The chosen file
doesn't automatically travel to the server. Your local copy of the game accepts the PNG file, draws the hairstyle sprites onto the appropriate layers, and the appearance of your girl changes accordingly. The web server merely hosts the SWF file and allows you to download it; there's no reason for your PNG files to be uploaded.
Nonetheless,
it is possible for a developer to include a special AS3 instruction such as
"whenever the user submits a file, please upload a copy to my FTP server." Most developers would not bother to do so, because their server would quickly fill up with duplicate copies of the most popular anime hairstyles. But it's theoretically possible for a malicious developer to spy on your activity or blackmail you.
If you're concerned about privacy then I would encourage you to download your own local copy of the
SDT game (or the
SDT Loader). If you're especially nervous then you can
inspect the game's code to ensure that it isn't doing anything wrong. You could even disable your internet connection before running the game. Of course such vigilance quickly becomes inconvenient ... and so most people simply ignore the privacy risk (or they assume that SDT modders are acting in good faith, and therefore they act with less caution).
In practice, the SDT-hosting website probably
isn't spying on you. Porn websites typically host hundreds of different games, and it would be impractical to inject blackmail code into all of them. If the website operator wants to harm you, then it's much easier for them to fill your screen with aggressive popup ads, or trick you into installing ransomware, or exploit an XSS vulnerability to steal your passwords. But there's little reason to rely on a web-hosted copy of SDT, so you should just install a local copy anyways.
People are usually more concerned with security flaws in Flash (which can expose your PC to malware) rather than the risk that a Flash game will leak any embarassing personal data.