Edit: obligatory explanation (thanks mods for squaring me away)…
What you see via the UI isn’t “all that exists”. Unlike Reddit, where everything is a black box, there are a lot more eyeballs who can see “under the hood”. Any instance admin, proper or rogue, gets a ton of information that users won’t normally see. The attached example demonstrates that while users will only see upvote/downvote tallies, admins can see who actually performed those actions.
Edit: To clarify, not just YOUR instance admin gets this info. This is ANY instance admin across the Fediverse.
I’m pretty sure that most lemmy instances run on a VPS, where the only thing you actually have to worry about usually is securing SSH, i.e. only using keys and setting up fail2ban. After that it’s only a matter of securing lemmy the software itself, which is a whole other discussion.
Just the other day, the computers of Kolektiva.social (mastodon instance) got seized by the FBI.
Well, it wasn’t the other day - it was back in May. It was the other day that its users were notified that it happened.
https://kolektiva.social/@admin/110637031574056150
I wouldn’t make any assumptions about the security of a particular instance of Lemmy or the locations of backups of the database that a developer or admin may have for testing.
Lemmy support is full of people tripping over themselves because they didn’t change the lines in the default docker-compose that the docs explicitly say “You must change this to match your environment”.
“The only thing you actually have to worry about” is doing a lot of heavy lifting.