Thanks a lot. A few keywords go a long way.
I had not stumbled across remote signing, and I had not seen that flavor of the term watch-only before, that is helpful. I wouldn't have know to search for those.
The first I had read, the second.... I had scanned a couple of the 61 pages. It seemed either outside what I was looking for, or missing the context which was what I was looking for. I will look again.
Little useless daily rant:For precision, my concern about fGAFAM isn't as much "stealing the funds", which I must admit is what the keys analogy seemed to suggest. It is much more about privacy and ownership. They sure love meta-data and I don't trust that they will give me access to my data whenever I want or need it. If big tech did ban a certain president across multiple supposedly unrelated "services," it is certainly willing to lock me out of any account, and I would not even expect them to provide any clear reason as to why even the pope asked a hundred times. End of rant.
End goal:My end goal is a setup that I trust, as defined by myself. That would be two signature (on separate hardware) required for anything that isn't a payment, and a third signature to actually make payments. e.g. (1) a lightning node, (2) a wallet, and (3) a payment-permission-giver. I think of a hardware-wallet for the third, but it really doesn't have to be and using that term would too easily lead to confusion.
Both (1) and (2) would be required for anything to happen at all. Any channel update that maintain or increase the overall balances would always be allowed, but decreasing that balance would not be allowed unless (3) explicitly "gives permission" to do so with a signature.
The idea is that even if either one of the two hot wallet is fully compromised, the funds remain completely safe because the non-compromised node would prevent any rules from being broken.
If both (1) and (2) are compromised, then... boom! in the unfortunate sense.
Meanwhile:Is there a hybrid or multi-sig mode where both the wallet and the lightning node must sign?
And a question I forgot in my original post: What does Electrum connects to for lightning? I searched, watch some videos, and failed to grasp some necessary detail.
Does any wallet do "proper remote instant backups" already? That is, full backups, that are updated such that a node failure at the worst time doesn't mess up channel state or require to force close any channel.
Zap wallet seems to allow making backup on the local drive, Google Drive or Dropbox. What does it save exactly, and when? What is it good for, and what is it NOT good for?
Installing LND as a "remote-signer" feels overkill, but I lack the knowledge and experience to if that is the case.
I will now be looking for some light-weight open-source Linux desktop remote-signer, and then I have some work to do to put things together.
I tried two lighting wallets a while ago, and I had a different not-so-smooth with each, Zap-Wallet was one of them. I only consider Linux desktop software, for now at least.
As for the End Goal above, it seems to me that the most plausible path is to be patching a remote signer-such that two instances of it work together to act as a single remote signer that connects to a watch-only node. I may hire some developer who knows better than I to help with that, but I still have some figuring out to do before that.
If anyone has any suggestion or pointers that can be useful, or if you know your stuff enough and are willing to work on something like that for some sats, let me know, that would be greatly appreciated.