1. “A vault is a single point of failure.”

True in the naive case; we mitigate with at-rest encryption with hardware-key gating for sensitive scopes, optional multi-vault sharding (health data in one vault, finance in another), and recovery paths that do not rely on the vault operator alone.

2. “Users will approve everything; consent is theatre.”

Partly true. Two mitigations: preference-level policies that pre-decide low-risk scopes quietly, and a dashboard that surfaces unusual patterns (47 queries from one app in a day) even if the user approved them implicitly.

3. “Governments will subpoena it.”

Also true. Vaults are subject to the law in the jurisdiction they operate in. Our policy: we publish a transparency report, we require valid legal process, we resist fishing requests, we do not operate in jurisdictions that require backdoored encryption. Users concerned about government access today can choose self-hosted vaults; the protocol supports that.

4. “Setting up a vault is too much work.”

Agreed, if the only path is manual. Our bet is on ingest adapters (DTP-style) for the common sources: Apple Health, Google Fit, Gmail, bank feeds, GP records. A well-instrumented setup takes 20 minutes once; a manual one takes weeks.

5. “Purpose binding is theatre. Anyone can claim any purpose.”

Legally, purpose becomes the contract. An app that claimsrestaurant_booking and uses data for marketing is in violation of GDPR and of the token it signed. The audit log + third-party verifiability makes this detectable. Not perfect, but better than a world with no purpose field.

6. “Inference attacks — many small answers reconstruct rows.”

Real concern. Mitigations: per-app-per-scope query budgets, anomaly detection on query-pattern density, refusal of highly-correlated query sequences. We expect this to be an ongoing research area rather than a solved problem.

7. “Isn’t this just vendor lock-in to Gera?”

The protocol and scope vocabulary are designed to be portable across vault operators. Export and re-import must be a first-class feature; we will treat it as a correctness bug if it is ever difficult. Users can run their own vault or host with a competitor, and the query surface stays the same.

8. “My grandmother cannot use this.”

Correct if the product surface is token-shaped. The UX is the design problem. Grandma should never see a scope string — she should see “the restaurant app is asking about your food allergy; is that okay?” with a single Yes/No. The engineering job is to hide the token machinery behind a plain-language card.

9. “Is the audit log legally useful?”

Under GDPR, the audit log is evidence of compliance for the vault operator and evidence of non-compliance against an abusing app. Courts have increasingly accepted structured logs as evidence (since the EU ePrivacy and DORA rulings). We formalise the log format so it is machine-processable by regulators.

10. “What happens if I lose my key?”

The vault supports social recovery (threshold of trusted contacts can sign a recovery request), hardware-key primaries with backup keys, and identity-provider-assisted recovery. None of these is perfect — there is a residual population who will lose their data. Our job is to minimise that population without creating a backdoor.

11. “What does this cost a small business to support?”

Zero infrastructure cost — the vault runs on the user side. For the business, supporting GeraMind queries is an adapter library: declare the scopes you need, declare the purpose, handle the minimised response. Target integration cost: a half-day for a standard web app.

12. “Do we really need this?”

Fair question. The honest answer is: we need it if agent commerce (see GeraNexus) takes off. Without a portable user-context layer, every agent will either prompt the user constantly (bad UX) or store user data redundantly (bad privacy). Vaults are the shape of the solution. If agent commerce does not take off, we will have built something less necessary — but still useful for the web-sign-up friction it eliminates today.