Similar to The Google WebID privacy threat model document, the IndieAuth specification should have a brief non-normative “Privacy Threat Model” or “Privacy Considerations” section, perhaps right after the Security Considerations section, or alternatively as a separate document which the spec links to.