@alex why would a service worker need such a response from a path that should otherwise 404, or why should a service worker be registered on a path that should 404?
The originating server sends the private post to all servers with an eligible follower, then the receiving server checks the HTTP Signature to verify that it matches the public key it previously fetched for that actor.
This is part of why private Groups are hard. You can't really boost a private post. (You can, but it only affects servers who already have the post in their database.) Groups work by boosting posts.
No totally, you're right. Public posts get fetched. Private posts can't really be due to the nature of them being private posts, so you have to do it a different way.
@alex oh, interesting. i vaguely remember the inbox getting a URI to an object and then fetching it, but i'm probably thinking of something else
i do know that posts are fetched in some circumstances (pinned posts show up from remote accounts an instance didn't know about), so do private posts just not work there?