4.2. Threat model

Obscura is designed with a clear idea of which threats it addresses and which it does not.

If an attacker gains read access to the database, they obtain encrypted message blobs and routing metadata. They do not obtain plaintext conversations. They also do not obtain the keys needed to decrypt stored messages, because those keys never leave user devices.

If an attacker operates or observes the backend infrastructure, the situation is the same. They can see that messages exist and move between wallets, but they cannot see what is being said.

However, Obscura does not attempt to defend against compromised endpoints. If malware runs on a user’s device and can access memory, storage, or the screen, it can read messages after decryption. This is a hard boundary shared by all end-to-end encrypted systems.

Similarly, the MVP does not attempt to fully hide metadata. Communication relationships and timing are visible to the backend because they are required for simple routing and predictable delivery.

These boundaries are explicit. The system is not presented as “perfect privacy,” but as a clearly scoped improvement over traditional messengers in the areas it targets.