yep. the security is in the hands of the client.
apple in general is extremely good with handling this, actually mobile in general.
however, if a web client is poorly coded, you can trick the website into loading a script. if you can run a script on the browser, you'll be able to steal cookies / private keys etc
however, if you're using mobile, then the security risk of nostr is the same as any other social media that allows exchange of free form text
I assumed so.
Have there already been malware instances?
yep! in the early days, new web clients were spawning everywhere and many people quickly figured out you could do elementary (script kiddie) xss injection and steal cookies
however in this phase, web clients are more mindful of this and things like alby helps a lot
Ok.
As a Damus user what should I be looking out for?
This seems like ripe environment for social Engineering which is a no brainer.
