[kodama-lens]

Okay, let's think this a little further:

I now have the possibility to open PRs and comment on them for a repo that is hosted on another instance. I still have to deal with user permission. Just because others can interact with my GitLab instance and repos I don't necessary want them to see everything. So user permissions is still a thing.

It would just have the time of creating an external user on my instance (or paying premium for them). Buth this could also be archived via OIDC logins of specific allowed accounts.

Am I missing the advantages here?

[mariusor]

ActivityPub supports authorized requests from federated actors, which would allow access to private resources. It would be a trivial exercise (speaking here as someone that implements fediverse software) to add permissions for users on other gitlab instances.

[emaro]

Sharing of private resources is explicitly stated as a non-goal.

[manfre]

Does ActivityPub even support interactions that are actually private? Last time I worked with it, the private messaging was more akin to "please don't read this postcard" in the mailbox.

[wiktor-k]

I guess it depends on your definition of privacy but if you're thinking about end-to-end encryption then there's nothing like that in ActivityPub. Admins of the receiver and the sender can see all messages including direct messages. They are not visible to the broader public though.