I think the same. Nostr it is public and private messages are already encrypted. I think a simple disclaimer could be put at client side just saying that data entered it is public and have to be considered like that. Users are responsible by their own keys and no further else it is needed. No password , no emails, no statistic data it is sell or sent anyware but potentially everybody could