A large slice of the Coffee web stack is deliberately local-first: demos and tools store state in your browser using APIs like IndexedDB and localStorage, not in a Coffee-owned database that mirrors every keystroke. That is an architectural choice about custody, not a claim that browsers are unbreakable vaults.
For surfaces such as KEY1-CORE, vault copy states clearly that credentials stay in the browser profile — nothing is uploaded to Coffee Computer from that page by design. Many other HTML apps in the repo use Coffee Storage (IndexedDB under namespaced databases) the same way: your origin, your profile, your disk sector under the browser’s control.
Nuance: when you use Nostr relays, third-party APIs, or paste a tunnel URL, those parties receive what you send. Coffee not running a central silo ≠ “nothing ever leaves your device.” It means we didn’t position ourselves as the mandatory warehouse.
Local-first protects you from our servers being breached for your notes; it does not stop malware, a borrowed laptop, or a family member on your logged-in session. Own your data also means physical and OS hygiene.