sounds racy to me... and what i've seen so far of how it works in practice it seems to be uncertain how the clients are responding, should be closed auth required then send auth challenge for specific events eg 4 1059 1060

IMO, auth should not be optional, this should be something that we want every client to support so we can name and shame the ones that don't

right now nostr is a honeypot for social graph discovery via these privileged types of events, i'm disabling publishing them in my #coracle settings but it still tries sending out events if i allow more than my relay list, it's absolutely an abomination, and you should all be embarrassed