Update: See the owner-keys configuration file details for discussion of the cryptographic properties of the Indie Site implementation.
An Indie Site is a web site (a Node JS web application) hosted on a server and accessed via clients. The default client is a web client that is, itself, served by the server.
Depending on how the app is installed and hosted, different security threats exist.
To absolutely guarantee the security of the end-to-end encryption of private messages, you would have to:
In such a scenario, you can be reasonably certain that the client that is being served is the one that you intend to be served.
This, however, is an edge case that some highly-skilled technical administrators might use. Indie Site will mostly be installed, hosted, and updated by third-party hosts.
Just like any web app, this means that we must trust the host to:
While these issues are blatantly apparent for web clients, they are also faced by native apps today in a world of App Stores and automatic updates.