The concept of sending a hash prefix is exactly what haveibeenpwned.com uses for its Pwned Passwords API, and has used for years. Although that uses SHA-1, no other details of the credential are sent. https://haveibeenpwned.com/API/v3#PwnedPasswords. The shorter prefix length increases the size of the response and makes it harder for the server to infer which of the hashes is of interest to the client; it also facilitates caching.

There is also Password Set Intersection with Blinding, which takes advantage of homomorphic encryption: https://openmined.org/blog/private-set-intersection/

Neither of these leave the record that a particular password was checked at a particular time.

I’d also argue that anything requiring a server query leaves some record and is not “100% local”, although some server interaction is pragmatic given the billions of breach records. What is important is to not leave additional record of a user/password association.

Surely this is just a data compression exercise - proved by the fact that where the database is small enough to be downloaded and stored locally, the vulnerability need not exist.