Great discussion!
For context: I’m building Barazo, a forum AppView on ATProto (lexicon thread).
Forum private sections have different requirements from private social posting that stress-test this proposal a bit:
- Visibility is community-scoped, not friend-group-scoped. The community admin decides who sees what based on roles and membership, not the post author.
- Ideally the content remains searchable and browseable within the community (categories, tags, thread navigation). E2EE is off the table for this use case (I assume?)
- It still needs to be moderatable. Private doesn’t mean unmoderated.
This makes me lean toward @bmann.ca’s sidecar endpoint approach. If Barazo required users on a specific PDS to access private sections, that breaks portable identity. A bsky.social user should be able to join a private forum section without migrating.
Gap: for public data, the relay/firehose handles distribution to AppViews. For private sidecar data, there’s no equivalent. The AppView would need to maintain per-user auth and actively subscribe to each member’s sidecar endpoint. That works for small communities but gets expensive at scale, and it’s a fundamentally different indexing pattern than what ATProto
AppViews are built around today.