Private message privacy (DMs)
Only the message content is encrypted on Nostr: the sender, recipient and timestamp are visible to everyone.
Visit your profile with a public key logi or see someone else's profile with the "View as..." feature to experience the level of privacy firsthand.
Privacy on uploaded images
Image loading on Iris is done via a proxy to resize and avoid IP leaking unless it's from a whitelisted (e.g. imgur.com and nostr.build) service.
Privacy on relays
Your internet protocol (IP) address is exposed to the relays you connect to. If you want to improve your privacy, consider utilizing a service that masks your IP address (e.g. a VPN) from trackers online. You can also connect to Iris messenger on Tor Browser, which will mask your IP address.
The relay also learns which public keys you are requesting, meaning your public key will be tied to your IP address.
Key safety on browser apps
Browser applications are not signed by the developer unlike native apps and browser extensions.
Someone could hack the server or DNS and serve malicious code that steals your private key. XSS is also a risk, although not common in applications that use a framework like react.
Nostr is still a young protocol and the key management features are not yet fully developed.