I assume its your comment about if the phone is compromised they still need to bruteforce the signal db.

I find that unconvincing. If your phone is hacked, your phone is hacked. I think its bad to make assumptions that an attacker can compromise your phone but not log keystrokes. I'm not super familiar with state of the art of phone malware and countermeasures, but i think anything trying to be secure in the face of a compromised platform is like trying to get toothpaste back in the tube.

> it's also worth noting that just because someone isn't aware of a certain risk in their threat model, that doesn't mean they will never benefit from taking steps to proactively protect themselves from that risk.

Threat models are just as much about ensuring you have all your bases covered as ensuring you don't spend effort in counterproductive ways.

> IMO, security and privacy are best conceptualized not as binary properties where you either have it or you don't

I agree. I think security is relative to the threat you are trying to defend against. There are no absolutes.

> but rather as journeys, where every step in the right direction is a good one.

Here is where i disagree. Just because you take a step does not mean you are walking forward.

A poorly thought out security measure can have negative impacts on overall system security.