As a user, what kind of protection do you expect? Who/What are you trying to protect against?
What implementation (client/server/something else?) allows you to do this? What would be missing?
I started writing an answer here yesterday, and I decided to write an article instead: https://bouah.net/2022/04/an-overview-of-my-threat-model/
One thing I’d like to see better protections for as a user is privilege delegation. Right now if I want to, eg. log into Movim without hosting my own, I’d have to give them complete control of my XMPP account by entering my username and password into their app. It would be nice if we had something where I could generate an application token and use that instead and it would only grant them access to the specific pub-sub nodes and permissions that they request.
I agree this would be nice. I’ve also been wanting something like this à la OAuth scopes.
