This is a very good point and one I didn’t ponder well enough. By storing permissions related to a site, it shows that the site has been visited. This is one of the reasons I pushed for encryption using user key in the API. It is sitting in an RFC here after the suggestion as granted here. I still believe the permission config doesn’t need to be on safenet itself by default (nor do I support any writing to safenet by default), but I could get behind the option to have that as opt-in config storage for a “sync” type of approach across devices.