The line that changed my reading of @MidnightNetwork today was not about hiding a user from the chain. It was the quieter standard hidden inside the commitment and nullifier design: the issuer should not be able to recognize the spend later either.

That is a much harder privacy bar than most people casually assume.

My claim is simple. A private permission on Midnight is weaker than it looks if the party that issued the right can still connect issuance to later use. Public privacy is not enough on its own.

The system-level reason is in the docs logic around commitments, nullifiers, domain separation, and secret knowledge. Midnight is not only trying to stop double use. It is also trying to stop the initial authorizer from spotting which permission got exercised later. That changes the trust boundary completely. A proof can verify cleanly. The public can stay blind. But if the issuer can still recognize the pattern, then the app did not really produce strong private authorization. It only shifted who gets to watch.

That is why I think builders should stop treating “shielded usage” as a finished sentence. In some Midnight flows, the serious privacy promise is not merely that outsiders cannot see the spend. It is that the issuer cannot quietly keep a recognition trail either.

My implication is blunt: if teams build private permissions on @MidnightNetwork without protecting issuer-side unlinkability, they will market stronger privacy than the mechanism actually delivers. $NIGHT #night