Yes, deliberately. Not everyone is defending against the same threats, so the account model is a ladder rather than a single dogma. Every rung keeps your notes end-to-end encrypted; what changes is who holds the key and what we know about you.
The convenient end: sign in with Google, Apple, or GitHub and pick "Keep it simple" when asked. We store your recovery phrase for you, encrypted at rest on our server, so any device signs in with just your provider account and there is nothing to back up or lose. The honest tradeoff: we know the email behind your provider account, and a fully compromised server could in principle expose the stored key. If your realistic threat is losing your own credentials rather than a targeted breach, that is a sensible trade.
The middle: sign in with a provider but pick "Maximum privacy". Your phrase never touches our servers and the encryption is fully zero-knowledge; new devices need the phrase or a QR scan from a device that is already signed in. We still necessarily know your provider email, but we could not read a single note even under compulsion.
The private end: skip providers entirely and use only the 12-word phrase. No email, no name, no identity, and paired with an anonymous Pro purchase, even paying leaves no name anywhere. In exchange, key custody is entirely yours: lose the phrase with no signed-in device left, and nobody can help.
The ratchet turns one way only: you can upgrade from custodial to self-custody at any time (we delete our stored copy of your phrase), but there is no quiet path back down. And every rung can add the local layers on top: PIN app lock, biometric unlock, and per-note protection.