I hope this is common knowledge, but just in case not: Authorized Fetch does not protect media attachments. Only post contents and (some) metadata lookups are authenticated.
Likewise, uploaded media is always public. Even if sent as a DM, anyone with the link can access the files without authentication. That includes blocked users / instances, so be careful what you upload!
reshared this
