@adiz @newt @Kuara @PurpCat Will just quote myself.
"Basically, every ActivityPub instance uses HTTP signatures provided by other instances to verify that new messages actually come from said instances, this is normal since otherwise anyone with a copy of curl could forge them. Signed fetches extend this to GET requests for objects/activities (fetching posts from users no one is subscribed too as part of the thread context, for example) which is retarded since once the message leaves your instance, you have no control over it anyway: people can just go to your instance if API isn't locked, and if it is, go to the neighboring one."