Is author new at the whole web thing? Yes, people trust remote web servers. Yes, if you link multiple apps to an identity server (be it atproto, google, or self-hosted OpenID server), and your identity server is compromised, attacker will be able to impersonate you or lock you out.
This is just how the web works, and there is no easy around it without losing features people care about. Sure, you can do client-side encryption and pretend serve can't see the plaintext, but it's just a theatre, see Hushmail incident for example.
And having people export uber-key by default is pretty terrible idea. Sure, allow advanced users (like post author) to do it. But for the common person, the exported key is just another way to get account compromised, via malware or backup provider hacking. Or if they are not backing up stuff, then the key will get lost next time they upgrade.
Are you new to the whole p2p thing? This is a terrible standard to hold new technology to. The web is broken.
https://secushare.org/broken-internet
> Sure, you can do client-side encryption and pretend serve can't see the plaintext, but it's just a theatre,
Keeping a private keep on the client to sign your activity is a fundamental cryptography practice.
If you use a private key to sign your emails or git commits, it’s not security theater.
If you were to have to upload your private key to GitHub or your email provider, that would be severity theater.
> Is author new at the whole web thing?
Unnecessarily mean comment.
> This is just how the web works, and there is no easy around it without losing features people care about [...]
Well, apart from using a separate email address for every single "provider"?
(Spoiler: there's no way I'm going to sign into your service with a shared email ... you get <youservice>@<me>.com)
Some services only allow signups from the big free providers like gmail/outlook/etc. because those providers are doing more consistent KYC and anti-spam measures than anyone else by far, and unfortunately it does cut down on the amount of spam by a lot. For most people nowadays you cannot even create a new gmail account without directly linking it to a mobile phone.