End-to-end encryption is a feature most communication products will ship in the next five years. It is also the feature that makes the rest of trust and safety harder, and the conversation about that tradeoff is unhelpfully polarized.
We work from a simple position. Both sides of the debate are partly right. The interesting work is in the design of the system that holds both properties at once.
Client-side signal, server-side decisions
The most workable architecture we see in production is one where classifiers run on the client, against unencrypted plaintext on the device, and emit signals about abuse patterns to a server that never sees the message itself. The user has cryptographic privacy. The system has a defensible safety posture.
This is harder to build than either pure server-side moderation or pure end-to-end encryption with no safety layer. It is also the design that survives both regulatory scrutiny and adversarial users.
What this rules in and out
Server-side keyword filtering is out. Content review queues populated by automated classifiers are out. Anything that requires the server to read message contents is, by definition, out.
Reporting flows are in. User-initiated disclosure of specific messages is in. Behavioral signals about abuse, derived without reading content, are in. The product surface shrinks; the architecture rewards the discipline.