“my point is that a user can be told "oh, you can't see my notes, connect to my wss://evil-relay.com" -- I don't do any due diligence before manually adding a new relay to my list, I expect my client to not get buffer overflowed and leak my nsec or not be abused. That's the point I'm making wrt to the client needs to be hardened anyway.” ✅

+

If you’re sending a note hash of a missing note to an unknown relay and the relay replies with anything but the note corresponding to the hash, then discard the data and disconnect.

What do you think about implementing the outbox model as a backup mechanism to the normal way of doing things?

This way it isn’t one or the other, it’s more like a fallback mechanism for if your set of relays are missing the note/if you can’t sync it to your Damus client-relay. Layers of redundancy…

nostr:note1djlkfuam8k03r6rryv5mma9jwzzs998juadayl0facg3wejcfh8s6hwc0f