Transactions don’t need to ever be broadcast to the network as a whole (e.g. via a gossip protocol) — they only need to be submitted directly to the quorum that will execute them.
Think about physical replication in a DBMS: you only need to transact with the master. Physical replication receivers don’t see logical TXs; they just see the new state (= WAL segments) that the master decided on.
Of course, in a Proof-of-Work network, the quorum could be anybody, so your OPSEC is “leaky” — it’s like having forward-secrecy enabled on a public chatroom that anyone can enter and sit in listening/recording.
But in a Proof-of-Stake or Proof-of-Authority network, the quorum only consists of the stakeholders. So, as long as the stakeholders all intentionally discard transactions, then there’s nobody to recover the data from. It’s very similar to private corporations whose service involves intentionally discaring (or avoiding logging) user interactions, e.g. “private” / “anonymous” email services. Just scaled into a federated, “open-but-audited membership” system. In such a system, network governance would likely declare that new stakeholders must have their infrastructure setup security-audited by auditors chosen by the existing stakeholders, at the new stakeholder’s expense, before being allowed to run as a validator for the network.
Think about physical replication in a DBMS: you only need to transact with the master. Physical replication receivers don’t see logical TXs; they just see the new state (= WAL segments) that the master decided on.
Of course, in a Proof-of-Work network, the quorum could be anybody, so your OPSEC is “leaky” — it’s like having forward-secrecy enabled on a public chatroom that anyone can enter and sit in listening/recording.
But in a Proof-of-Stake or Proof-of-Authority network, the quorum only consists of the stakeholders. So, as long as the stakeholders all intentionally discard transactions, then there’s nobody to recover the data from. It’s very similar to private corporations whose service involves intentionally discaring (or avoiding logging) user interactions, e.g. “private” / “anonymous” email services. Just scaled into a federated, “open-but-audited membership” system. In such a system, network governance would likely declare that new stakeholders must have their infrastructure setup security-audited by auditors chosen by the existing stakeholders, at the new stakeholder’s expense, before being allowed to run as a validator for the network.