This is the key concept and change between EMV and what is required for CBP cryptograms.
Effectively the cryptogram in the CBP payment is created half in the cloud and then the other half when you tap the phone.
The reason for this is because the network connectivity may not allow a scenario like the left side of the diagram below as the UN would get cut off from transmitting from the POS to the calculation space, or it would be subject to network latency and create a "Tap and Hover" effect that would be an awful user experience.
The CBP cryptogram allows all components to be used as before and exposes a "relay threat" only to the android app after the SUK is received, but not to the POS terminal. It also allows the Phase 2 calculation to happen independent of cloud availability at tap time. The Phase 1 calculation and delivery to the phone from the cloud is expected to be preformed prior to tapping the phone, but not during the tap itself.
The thought is to offset the relay threat with in app security and sensor rich android OS.
It becomes a net neutral from a security standpoint really, IMO.