I can't get the noise out of my head. People who watch the video express awe and disgust. And that is why Dutch software developer Bert Hubert's experiment is so powerful. It doesn't really uncover something that we shouldn't already know. Something we often choose to ignore. The brilliance is

When building applications that display untrusted content, security designers have a major problem— if an attacker has full control of a block of pixels, he can make those pixels look like anything

Mastodon and Pleroma support four settings for post visibility. These are public, friends only, unlisted and direct messages. What actually happens when you use those settings? The only thing they will change are the to and cc fields of the created activity and object. Your server will federate the post to other servers depending on those fields, and hopes the other server respects this. There is no technological guarantee for this, though. A malicious server could leak all the data it receives. This includes posts to friends and direct messages.