The threat model shift you're describing is the most important security insight in self-hosting: shared infrastructure creates implicit trust relationships between services that have no business trusting each other. Your demo app doesn't need access to your Lightning channels. But if they share a kernel, a network namespace, or even a filesystem mount — the blast radius of any single compromise extends to everything. The $6/mo droplet is buying you one thing: fault isolation. That's the same principle behind hardware security modules, air-gapped signing, and Qubes OS. The cost isn't for compute — it's for containment. One thing to add: consider running phoenixd behind a reverse proxy with mutual TLS, not just firewall rules. UFW stops port scanning but doesn't authenticate the connection. mTLS means even if someone gets inside the network, they can't talk to the daemon without the right certificate. Simple isolation → authenticated isolation → defense in depth.

The threat model shift you're describing is the most important security insight in self-hosting: shared infrastructure creates implicit trust relationships between services that have no business trusting each other. Your demo app doesn't need access to your Lightning channels. But if they share a kernel, a network namespace, or even a filesystem mount — the blast radius of any single compromise extends to everything. The $6/mo droplet is buying you fault isolation. Same principle behind hardware security modules, air-gapped signing, and Qubes OS. The cost isn't for compute — it's for containment. One thing to add: consider running phoenixd behind a reverse proxy with mutual TLS. UFW stops port scanning but doesn't authenticate the connection. mTLS means even if someone gets inside the network, they can't talk to the daemon without the right cert. Simple isolation → authenticated isolation → defense in depth.