Security works on both ends client and server side. Obviously everyone’s choices are there own client side. Server side, country of sever location and what information is collected by server of users? Of that information how long are logs kept?
At least in the US the law says if the government comes knocking and they got the paperwork you have to give them all the information you have.
The workaround is simply, don’t collect information or store logs. I am sure this will effect everything from search engine optimization to monetization but security is both a pain and costly.