Your IP address is visible to your relays.

If a relay operator was malicious they could abuse that information in identifying you (perhaps to punish you for how you use Bitcoin, in a country with an authoritarian regime) or could package your nostr activity with other data brokers’ information about you to sell into the profile(s) that exist on nearly everyone for as-targeting (at best) or government surveillance (in the US, for example, it’s illegal to spy on citizens, but not to buy the entirety of their internet activity from a broker and use that for profiling and “criminal prediction” police lists).

These are all “ugly” (although not “worst case”) scenarios, but it’s more likely that some of those things are already happening with your online data outside of nostr.

It depends also, of course, what relays you use. You asked “worst case” so yeah someone could go after nostriches in a few years with the assumption that many of them hold lots of (massively appreciated) Bitcoin. Kidnappings and theft already happen; user data from crypto exchanges is sold on the dark web every day, and people get scammed and stole from as a result.

Nostr isn’t necessarily “big” enough yet to make us targets… but data is forever.

Using an always-on VPN is just best practice, on Nostr or anywhere else, and while it’s of course far from a perfect solution, a high-quality VPN is such an easy way to limit the data that can be easily traced to you, making it just inconvenient enough that your average bad actor would prefer a different, easier target.

Hope this is helpful 🫡