[egwynn]

I’m not sure what threat model you’re proposing. If an attacker has control of your computer or the keybase app, then yes, it’s game over. But encryption removes the hosting entity as what would otherwise be a single point of failure. If you hack keybase the organization, you don’t immediately get access to everyone’s everything (in contrast with Equifax). An attacker would need to infiltrate the codebase and then release a malicious version to everyone that makes their apps decrypt/reroute/whatever the data.

[misterbowfinger]

I suppose I'd like to see what threat models actually apply to companies, and what vectors are most often used to get pwned (outside of social engineering). I understand what encryption prevents, but I don't understand how helpful it is in practice.