The proposed system would have centralized permission-checking (by the "space host", as authorized by the "space authority") and distributed storage (in each user's PDS). But applications would likely keep a full replica of all the user data in the space:

> Permissioned data sync is functionally similar to public atproto. Applications build views by pulling repos from their hosts. The major difference is that there is no relay to provide a collated firehose of data for the network as permissioned repositories are by their nature non-rebroadcastable. An application pulls directly from each repo host and is responsible for keeping its own copy in sync.

So it seems like the PDS wouldn't normally be doing all that much. It might seem more efficient to remove the PDS from the design? Except that it does mean you don't need to export your user data from an application. Instead, you already have a full copy of the data in your PDS.

I wish Google Photos made syncing all my photos to backup storage this easy and automatic!

It also makes migrating the space to a different app easier. But who controls the migration depends on what kind of app it is. If it's single-user then the user is also the "space authority" and they can switch to a different app whenever they want. For a multi-user space, the "space authority" is someone else.

In order for this system to make sense, you need a PDS host and at least one application that you trust, and ideally they would be independent. It doesn't do anything in particular to prevent misuse of your data by your PDS host or an app, but it does ensure that you have a separate copy of anything you upload, and you can migrate to a different app.

Maybe compare with phone number portability or switching to a different domain name registrar.

(Incidentally, I might have posted this comment on Bluesky, but at 1795 characters it's far too large to post there.)

Rendered Markdown: https://github.com/bluesky-social/proposals/blob/permissione...

Note this is an early draft and will likely change, as PR description says.

That would enable private repos on https://tangled.org/ , right?