Two Midnight apps can both say “privacy by default” and mean completely different things.
That should bother people more than it seems to.
Because once privacy becomes programmable, the real question stops being whether the chain supports private logic. @MidnightNetwork clearly does. Compact exists for that exact reason. Selective disclosure exists for that exact reason.
The harder part starts one layer up.
Who decides what gets revealed, when it gets revealed, and who gets to see it when something gets weird?
A lot of the time, that answer is not “the protocol.”
It’s the app team.
And once that’s true, the clean story starts getting messy.
Midnight’s pitch around rational privacy makes sense to me. It’s one of the more serious things the project is trying to do. Not hide everything. Not privacy as theater. More like: reveal enough to function, keep the rest sealed, make disclosure intentional instead of automatic.
Fine. Good.
But once developers start defining those reveal paths inside real applications, “privacy by default” stops being one thing. It becomes whatever the builder thought the defaults should be.
Take two teams building roughly the same lending flow on Midnight. Same privacy-first network. Same Compact tooling. Same promise: prove collateral conditions without exposing the whole balance sheet.
One team builds in a narrow dispute path that opens enough context for a counterparty and compliance reviewers to reconstruct what happened. The other keeps disclosure tight unless an admin path or governance process explicitly widens it.
Both apps can say they use Midnight.
Both can say they support rational privacy.
Users will not experience those systems the same way.
That difference is not coming from Midnight’s cryptography.
It’s coming from the developer.
And this is where crypto gets a little dishonest with itself. People like to talk as if protocol guarantees are the whole story. Users don’t live inside protocol guarantees. They live inside product decisions. What gets logged. What gets reopened later. What a compliance team can request. What a counterparty gets to see in a dispute. Which edge cases the team actually thought through and which ones got left for “later.”
That is the trust boundary, whether anybody wants to call it that or not.
You can already see how this breaks in practice. A user assumes a disputed workflow can be reviewed later. The app team assumes minimal disclosure is the entire point. A banking partner asks for more context after a flagged transaction. Midnight network didn’t fail there. The proof can still verify. The private state can still be protected.
The product decision is what starts looking shaky.
That’s the part I can’t really get past.
Because if selective disclosure depends heavily on how developers design the reveal path, then privacy is not just a protocol property anymore. It’s partly application governance. Quiet application governance. Hidden inside defaults, admin powers, UX flows, disclosure toggles, all the boring little design decisions that end up mattering more than people admit.
Midnight probably has to live with that. There’s no way around it. Protocols can give you tools. They can define cryptographic guarantees. They cannot pre-decide every privacy boundary for every workflow somebody is going to ship later.
So I’m not saying this makes Midnight weak.
I’m saying it makes the network more dependent on developer judgment than the clean privacy story usually admits.
And once two Midnight apps can both claim “privacy-first” while meaning different things in a dispute, a compliance request, or some ugly edge case, the network stops being judged only by what its cryptography can prove.
It starts being judged by what builders thought was reasonable to reveal before anyone had a reason to test it.
And that is a much messier thing to scale.