Lemmy.world is hosted in Finland. 230 is not applicable.

Can’t speak for kbin but Lemmy doesn’t collect or store IP addresses at all.

Nothing is encrypted except a user’s password. If you have access to the database you can replace that with a known password hash.

Last post received in my instance from them was over an hour ago. I usually see one or two a minute. Comments stopped at the same time and those are usually about every 5 seconds.

Tallies are maintained in the db in real-time. No calculating needed

While the Lemmy UI doesn’t expose the data is available via the API. That’s how clients like Memmy are getting it.

Lack of karma is a fallacy. The default Lemmy UI doesn’t display it but the karma system appears to be fully built.

ActivityPub is a standard, Lemmy, KBin & Mastodon are open source applications built on the standard. It’s the same relationship as Hypertext Transfer Protocol (HTTP) and Chrome, Safari, Firefox, Apache & IIS.

As a client/server architecture, Lemmy is no more or less vulnerable to malicious actors than a web browser or a web server. You’re at least as likely to have a rogue admin mishandle data as someone build Evil-Lemmy. While I consider myself a good netizen, if you delete this post right now I’m still going to have a copy for at least six months because that’s my current backup retention for this instance.

I’m no GDPR expert but I can’t see how an instance owner who does comply with GDPR can be punished for instances they don’t control not deleting federated data. There are ongoing conversations throughout the Fediverse on this topic.