It's all I routinely bitch about:
https://were.social/notice/AfHlGgRYClScNnQFiy
https://were.social/notice/AfYn3Wcauj4nkflBkO
I assume it was originally under an ambitious idea to allow users to have control over their identity by cryptography, but implemented in such a half-baked way that was conceptually flawed, to the point where users cannot export their keys for risk of the entire server: https://github.com/mastodon/mastodon/discussions/22315#discussioncomment-4423581