Let's move discussion about this security flaw over here, where I can work on this in public.

Private messages also leak in Decent, here's a screenshot:

I think the solution here is to not store private messages in plain text, as they are then made available over muxrpc.

I don't think this is directly exposed in non-liteclients. But, what's stopping someone from pretending to be a lite client and muxrpcing into your local client if they can figure out where your local sbot is?

Maybe this should be posted to Github by someone who is not blocked by Dominic? He won't see this if I post it to Github, because he blocks me on Github -- and he also deletes my comments.