> Because doesn’t the protocol assume that messages propagate to other relays as well? There's at least a mention of NIP-70 (protected events) in the MIP-00. Perhaps NIP-70 could be a requirement for all Marmot events? I also find it scary that Marmot allows usage of relays that don't require NIP-42 auth. Almost all events should be private IMO; the auth should be required whenever possible. > or controlling the whole stack (incl relays). > How does running my own relay solve that problem exactly? How would I then ensure that my messages are not being stored by any other relay? If you're using NIP-42 auth whenever possible, control your client and relay (you're sure the relay and your client won't propagate events to unexpected relays, and the client will actually remove the events)—only your DM buddy with their unexpected relay list or broken client would be able to propagate the events to unexpected relays. The broken client is not something controllable in the FOSS world. An immutable list of relays that all sides of communication explicitly chose to use for the conversation still could be possible. But at some point these relays will be outdated for example, so a new conversation would need to be created. Feels like a wrong complication. Any better ideas?