I have a servlet for allowing manipulations of images - zoom, etc.
What's the best way to deploy this service so that the users of the servlet keep their images confidential?
I assume this means they need to run the servlet on their own servers rather than on mine.
Is there any other way of providing this service to them?
They have to give you the image for you to transform it. You can promise that you delete it immediately afterwards, but your users will have to take your word for that.
File hosting services can maintain confidentiality by hosting only encrypted files that the service operator cannot open themselves. But you cannot manipulate an encrypted image without decrypting it first.
You can use HTTPS to make sure there are no eavesdroppers, and also make sure that you send the image to no one except the owner of the original (as far as you can tell from the login session). You should delete any files as soon as you can.
As you say, the only way to ensure that no one else gets to see the image is to run the application on the user's end.