I was asked to weigh in on the "disable replies" stuff in AP. tl;dr it's trickier than it appears, and pretending that all clients will follow a MUST may actually allow bad actors to abuse the system worse than currently. Still might be a useful "preference" to expose though. https://github.com/w3c/activitypub/issues/319#issuecomment-418752441
There's a way forward where we can actually give people protocol-enforceable ways to do this but it involves object capabilities and a change in perspective, not ready yet
@cwebber I'm really interested in what you might have to write about an object capabilities approach to this problem. Object capabilities sounds great and I would love to get a more concrete idea of how they might work in this context.