This is the advantage of being small enough to fly under the radar, more than the advantage of federation. It's also why Signal can get away with approaches that would have gotten any Big Tech player testifying in front of the Congress, with parents of kids killed by fentanyl or kidnapped by sex predators sitting right behind.
If your service becomes big and important enough, and if politicians hear enough from law enforcement and intelligence agencies that you're a major problem, then all of sudden, your "zero chance" becomes a "non-zero chance" if you ever need to travel to or through the EU, do any business there, etc.
Another case in point: cryptocurrencies. They were government-proof until they weren't, because ultimately, there are people running exchanges and mixers, as well as other counterparties, who can be threatened with prison and fines.
The advantage of federation is you don't need to become big. XMPP works like email; you set up your DNS records and other servers can talk to yours when someone wants to chat with an address in your domain.
Federation certainly helps, in that Americans can run American instances and not worry if the EU dislikes it.
However, federation wouldn't help EU users much if the EU state decided to go for full-on Chinese style control, firewalling the foreign-hosted instances, banning the apps from the app stores, blocking access to payment infrastructure, jail for anyone found with the app sideloaded, PR campaign saying this app is used for child porn and encouraging people to turn in anyone they see using it to the cops, and so on.
It's all fun and games until you get blocked at the DNS level and effectively shadowbanned by all mainstream ISPs. This already happens today in many, many European countries.
That’s true of any provincial law. I’m sure North Korea doesn’t like the things I allow me people to say about their leadership. I’m not going to change what I’m doing here to appease their inapplicable laws though.
North Korea seems like a flimsy example because it's an international pariah, and their reach in the West is essentially limited to hacking you. It's a fairly uncommon situation that's quite different from decisions made by the EU.
(As an aside, the legislators in the US broadly believe the same things about online communications than their EU counterparts, so the noose will keep tightening either way.)
"international presence" can be as simple as a localized site for your German users. Then you are under GDPR etc. Sure you can ignore it if you are irrelevant but that doesn't change the fact that this is how laws work.
For practical purposes, what really matters is whether it can be enforced. So, for example, will your country extradite you if Americans demand it? Or, say, if you travel, will any of the countries that you pass through extradite you?
The reason why DPRK is a particularly bad example is because neither is a concern just about anywhere in the world. But for large and powerful political entities such as US and EU, it is a very real concern.
If your service becomes big and important enough, and if politicians hear enough from law enforcement and intelligence agencies that you're a major problem, then all of sudden, your "zero chance" becomes a "non-zero chance" if you ever need to travel to or through the EU, do any business there, etc.
Another case in point: cryptocurrencies. They were government-proof until they weren't, because ultimately, there are people running exchanges and mixers, as well as other counterparties, who can be threatened with prison and fines.