The security thing is the big one. No one should be putting their nsec directly into a bunch of different clients.

If you're writing for browsers you need to support at least NIP-07 for note signing. Mobile and desktop need NIP-46 for secure signing. NIP-46 itself depends on NIP-04 and/or NIP-44 for encryption.

Major clients don't use note IDs, they use bech32 identifiers. Those are defined in NIP-19.

Replies and common indexed tag types are in yet another NIP.

Then there's the outbox model, which isn't really defined anywhere at all, but is essential for a client to work with a distributed set of relays. That's pure institutional knowledge.