Need help understanding how are data linked to DIDs secure and private

Hi! I’m new to Ceramic and DID in general. I read the docs and it seems like users can basically create records of their data based on a schema and store them on the Ceramic nodes for the apps to use. It seems like the records can then be publicly retrieved by any apps? The IDX docs says:

By relying on DIDs for identifiers and indexes for user tables, you can greatly reduce the amount of sensitive identity information stored on your servers and instead rely on the trust and security of decentralized protocols.

However, I don’t understand how this greatly reduce the amount of sensitive information and security/privacy because wouldn’t any other apps now be able to easily retrieve from the Ceramic nodes those records the users have created and stored? And better still, just scrape all those records and save them on their own database. Now they just got all the information about everyone, all for free, from every other apps that took info from their user?

I’m sure I’m missing something here that I don’t understand.

Hey!

So we’ve completely deprecated IDX including the docs. So they’re really out of date. I’d recommend using our updated docs site as your source of truth.

That being said, how our querying works is that unless you know your user’s did you can’t access their data. In addition to this we’ve also been working on CACAO which protects this even more as the user will need to provide granular access to the DataModels they choose adding an additional layer of separation between their original DID.

As for what’s preventing users from just scraping the entire “database” we don’t allow queries that do not contain a DID reference. There’s no way to run SELECT * FROM users on Ceramic. Essentially all queries have to be more like: SELECT * FROM users WHERE did = 'did:pkh:user_did'.

Hopefully that clears it up for you!