From what I understand, in Peergos the friend list is stored on certain node. Which means software running on that node can see your friend list - which is essentially what happened in CA case, except maybe Peergos does not allow to run third-party apps on private node, but even if they didn't currently, I see nothing preventing from this happening in the future. What happened in CA case, AFAIK, is that users allowed the software to access their social graph data, and that software compiled it into a database that was used for purposes the users didn't intend to. If we assume that the users can run third-party plugins on a Peergos node, why isn't that possible with Peergos?
Nope. Nothing (apart from your username, which is public) is ever stored unencrypted anywhere. Even your own Peergos server can't see your friend list. It is decrypted by your client when you log in.
We don't currently allow third party apps in Peergos, and when we do they won't be able to access the social graph, nor will they be able to connect to the internet, nor anything else outside peergos. So that data can't be exfiltrated.
