Is there any work related to avoiding spamming inboxes or simply filling them up with junk? There is probably a couple of lessons-learned from e-mail that could be applied here.
It the inbox restricted to reject anonymous requests? We could at least require the sender to prove their WebId to avoid posting stuff on behalf of others.
I wasn’t able to put a file in my inbox without a session just now when I tried it in the app I’ve been building. I would like to hear more about how they’re going to handle relationships between users in general though. Right now you can add whomever as someone you “know” to your card without the other person knowing on the other end. My app uses it to setup the ACLs to only allow access to those people, along with sending a link pointing to it to their inbox, but yeah, to me that’s an oversight like the auto adding of email addresses to address books has been forever. Plus, you’re going to have people coming over who will have had problems on Facebook and Twitter who will only find themselves inundated with the same problems.