Threat model for Constellation

A thought that occurred to me recently: while we will not make security a priority or selling point of Constellation (i.e. there will be no verification or encryption be implemented), it would be very helpful to define our assumptions for "safe" use, or, in other words, our threat model. This should be part of the documentation and could guide the development as well.

We could, for example, explicitly state that we assume that the network on which Constellation Satellites run and all connected hosts can be trusted. That could imply that we want to facilitate network separation and e.g. never bind on all available interfaces by default (which might include a non-trusted network).

I think that even reduced security targets would be good to keep in mind from an early stage on and define clearly.

What do you think?