There's a dangerous assumption most developers bring into Compact: "It's a privacy-first chain. My data is private unless I explicitly expose it." This is backwards. And it's where the serious mistakes happen. The actual model Compact doesn't give you automatic privacy. It gives you a hard boundary between two worlds, and a compiler that enforces it. World Where Who sees it Public On-chain, every network node Everyone Private Your local machine Only you The boundary between them is explicit. You cross it deliberately, with a specific annotation, or you don't cross it at all. The compiler guarantees this. You cannot accidentally move private data into public state, it's a compile error, not a runtime surprise. But here's what trips people up: the guarantee goes one direction. The compiler stops private data from leaking into public state. It does not prevent you from intentionally putting sensitive data on-chain by slapping it in export ledger and calling it a day. That's your problem to reason about.…