i.e., "there are certain theoretical ways to break privacy on Lightning". I agree. And I strongly doubt any of these would be easy to pull off, and I really doubt anyone is attempting to pull them off. But it's not fair to compare this situation with a user being married to one HTTP endpoint, which they have to use to do ANYTHING, and that HTTP endpoint being controlled by just one company -- and a company, at that, with a speciality in "compliance"?