This is an interesting question! However, it requires being a bit more formal about what "anonymization" means to answer properly. No approach will result in a leakage-free solution, since some information will always be revealed about the input unless you use encryption or secret sharing to hide the original input.
As you observed, embeddings are not one-to-one, which means some information will indeed be "lost" during the embedding phase. The problem is then to determine how much information is lost exactly, and making sure it is sufficient to hide sensitive information in your application/setting. Two possible approaches come to mind:
(Local) Differential Privacy
To ensure that each embedding always loses "enough" information (here enough is a setting-specific parameter) to prevent the API from learning sensitive information about the query, we can inject some noise to the embedding and analyze the information loss through the local differential privacy framework. Interestingly, when embedding high-dimensional vectors into a low(er)-dimensional space via the Johnson–Lindenstrauss transform, it has been shown that the embedding itself can be differentially private under the right parameters.
Probably Approximately Correct (PAC) Security
A different approach (compared to local differential privacy) was recently proposed to capture the information leaked on an input $X$ from a mechanism $M$ applied on $X$. In your case, $M$ would be the embedding and $X$ would be the query. PAC security quantifies the leakage in a data-dependent way (whereas differential privacy considers worst-case data distributions). This appears to be closer to your goal of determining how "private" the embedding is. I recommend reading Section 7 and Appendix K of the PAC security paper to get an overview and comparison to differential privacy.
