Why Backend-for-Frontend for Solid is categorically wrong

@ThisIsMissEm I agree with a lot of what you’re saying here w/r/t to providing the user a guarantee that their data won’t be used in an unauthorized way, in particular that an app provider can’t persist a copy of the data on their servers and use it either a) within the boundaries of the grant but after it was revoked or b) outside the boundaries of the grant. This seems like a valuable guarantee in all cases, and critical in some (health records and financial data come to mind).

Along those lines I notice that even in the non BFF part (left side) of the diagram in the BFF post, the Pod is in the “Organization” box. If the Pod is in the physical infrastructure of the App Developer won’t they have access to that data as well? If the Pod storing the data is not in the App Dev’s infra (self hosted pod, or separate provider), and it’s a client side only app, then like you said the user might be able to pull the thread on something nefarious, and at that point sue, shame, etc, the dev if they’re doing something “wrong”…but if the storage or compute is in the clear on their infra I’m not sure what the guarantee is. I’m new here, so maybe I’m missing something?

You mention Sandboxes: is there any provision in Solid where a user can require that compute take place in a Sandbox, or some type of secure/attested environment?