Great question and one we’re constantly thinking about.

Where you trust Lightswap:

The app itself (and future updates) aren’t malicious.

The UI shows you the correct addresses and amounts — and you verify them in Lightswap’s confirmation screen and on your hardware signer’s trusted display before approving.

Our backend that parses your text intent isn’t exfiltrating sensitive info - although we don’t have any private information- we don’t ask for or know your name, personal details, or keys — just the natural-language request.

Failure cases we think about:

These are the same classes of risks you already have with, say, a Kraken or Cash App client or a hardware wallet. We mitigate with Secure Enclave storage (or equivalent), clear verification prompts, seeing or storing as little information as possible, open-sourcing our code and aft some point we’ll explore reproducible builds so anyone can verify what the binary does.

As you said, you can always verify deposit/withdrawal addresses independently on your hardware signer or exchange, and that’s encouraged. Our aim is to keep the trust surface as narrow as possible.

No system is perfectly trustless but we want users to understand exactly where trust is required and to minimize it wherever possible. Questions like this help us get there.