Nick Ford@itsnickford
Venice is not really private. ( $VVV ), but by that logic, neither is anything else.
If we apply the same scrutiny to healthcare or finance, those entire sectors would be considered "at risk."
Most of the modern internet runs on hyperscalers (AWS, Azure, GCP) or various CSPs and NeoClouds.
The reality is that when you deploy a workload in the cloud, you give up control over the physical hardware.
You have no way of knowing if a rogue admin is tampering with your host, stealing data, or if a rootkit malicious or accidental, is compromising the system.
We've become very good at protecting data in two states:
Data at Rest: e.g., Secured via self-encrypting drives.
Data in Transit: e.g., Secured via HTTPS/TLS.
The missing link, and the most obvious attack vector today is data in use.
To bridge this gap, most hyperscalers now offer Confidential Computing.
This ensures that even a rogue admin cannot scrape secrets from the Guest OS memory. It creates a world where you no longer have to trust the hardware provider; you can move your workload anywhere, and the data remains shielded.
However, security isn't free, and Confidential Computing faces two major hurdles:
Hardware Scarcity: It is extremely limiting. It requires specific hardware like Intel Xeon Gen 5 (Emerald Rapids), which is still very new.
Given that data center hardware often operates on a 6+ year lifecycle, widespread affordable adoption is years away.
Performance & Feature Gaps:
Security isn't free and there is a significant performance hit. Furthermore, you lose critical features important for Day2 operations of workloads.
There is also the Trusted I/O problem. Even if you protect the Confidential VM, you are only protecting the CPU bounds.
The moment you dump data into a GPU, it is exposed again, as it sits outside the defined Trusted Computing Base (TCB). While some devices now support Trusted I/O, they remain quite limited.
Where does this leave us?
Security is a spectrum, not an absolute; it’s an evolving story.
As Milian rightfully points out, the "gold standard" remains running models locally on hardware you personally control and can attest to.
In the meantime, Venice is taking a much needed approach: a strict policy to never store your prompts or data.
Ultimately, a root of trust has to start somewhere. No matter how many layers of encryption you add, you eventually have to trust one end of the chain.
