I made a local-only post on friend.camp tagged #thisisvisible. In an incognito window, I opened the URL https://friend.camp/tags/thisisvisible and was able to see the post.
Expected behaviour
Local-only posts should not be visible to anyone who is not signed in to the server in question
Actual behaviour
Local-only posts that contain hashtags can be retrieved anonymously using a hashtag search
Steps to reproduce the problem
I made a local-only post on friend.camp tagged #thisisvisible. In an incognito window, I opened the URL https://friend.camp/tags/thisisvisible and was able to see the post.
Expected behaviour
Local-only posts should not be visible to anyone who is not signed in to the server in question
Actual behaviour
Local-only posts that contain hashtags can be retrieved anonymously using a hashtag search
Specifications
Tested on friend.camp, v1.0.6+3.5.2