This looks cool -- thanks for sharing.<p>Are there any docs about the threat model or intended security properties of this system? It seems at first glance like the trusted computing base includes the machine that this is running on (and thus storing the user keys and weights) but it would be great to clarify or call this out explicitly.