Well, you're right. But, I was directly addressing your point about, "At the same time building something that does not interact with user data while improving your project is a win-win." Of course, things outside of that in the app/host layer is important to lockdown, as you mentioned.
Discussion
I see, I probably should’ve worded it better. I felt like app permissions and bad encryption practices fall into this bucket, cause if attacker gets a hold of your server or orchestrate a MITM attack, they’ll be able to get their hands on stuff users wouldn’t want them to.
As rule of thumb, never store private keys in plain text and always aim to have them decodes at the client side.
Assume everything will be leaked. There is always a balance between usability and privacy.
The only thing private on NOSTR tends to be private messages and the private key.