looking at this again, the exposed query.read to friends is the problem and should have been raised when PM decryption was made transparent. I didn't know that was possible to begin with. As a stop gap we should maybe only listen to ssb-ws on localhost or rip it out all together.

Pubs running this shouldn't be that much of an issue, I think, since they don't have the key to access PMs not for them and don't get PMs frequently, at least in the uses I know of.

cc @dominic