[southerntofu]

> It has become impossible to ensure updates across OEMs

This is not entirely true anymore, with Google pushing for Project Treble and Generic System Images. I am angry at them for not worrying about this (or mainline kernel support) in the early days of Android, but the fact is the situation has much improved already.

> As long as there is no authority to mandate certain communication protocols

Established authorities have been using Jabber/XMPP for years (though mostly not free-software solutions), and the french State has recently settled for Matrix's Element who received an extensive security audit for the occasion.

I believe it's also possible to advance an ecosystem without authority. That's what compliance suites/checkers have been doing over the years: TLS testers, DKIM checkers, and more recently in the Jabber/XMPP ecosystem the Conversations and XMPP Compliance Suites have really helped guide the ecosystem forward.

Simply outlining what's done right and what's done wrong for specific usecases helps end-users make a choice in their clients/servers, and guides sysadmins/developers in making things right when they want to.