btw, a small detail but the reverse proxy actually deciphers the TLS encryption on the network transport. the second leg is secured by wireguard in my setup. the point being that the reverse proxy is a potential surveillance point as it is a man in the middle. so the messages must be encrypted, as well.
Discussion
Well, you could also use authed sockets, directly, rather than over a proxy.
My point is just that kind 24 messages are unencrypted, so the amount of privacy they offer is determined by the channel they are sent on.
You could also encrypt the content, rather than giftwrapping, as an obfuscatory fallback, if it leaks or is accidentally broadcast.
There are options.
yeah, using a wireguard network would enable a lot too, and that is encrypted end to end, HTTP proxy is just the simplest way but i'm sure there is options also for improving that
ultimately if the relay and the proxy are on the same machine it's not really an issue, it's only for the case of running relays locally, the signal is decrypted at the reverse proxy, idk what options there are for remedying this exactly, part of the problem is that a true end to end encryption would probably need to be added at the message level to eliminate that risk at the remote proxy. if you control it, then it's not so bad but yeah, ideally you would want to use nip-44 encryption, basically