I'm curious about the trust model: it seems that Lightswap is mobile only. So, I'm at least trusting that my device isn't compromised (although I could imagine some ways you mitigate against that). But what else?

If I can independently verify deposit and withdrawal addresses on hardware signers and on exchanges, that helps.

If the keys always remain on the signing device (which means I have to sign every transaction on with my signer), I'm not at risk that lightswap gets my keys.

I'm sure you've thought through this stuff endlessly, but I'm curious to know where you think I end up trusting LIghtswap -- what are the failure cases?