Recovery contacts are a smart UX compromise for self-custody, but we shouldn't pretend they're risk-free. I was just reading about how prompt injection attacks exploit exactly these kinds of trusted verification pipelines—the "prove it's you" step becomes the attack surface when social engineering...

Awesome feature!