privnote url can be mitmed and you will never realize that it was read gpg public key can also be mitmed though which is why it isn't a bad idea to send it through multiple channels or through a channel where the sender can verify it anonymously