I use arch on a couple of machines and for a rolling release I find it surprisingly hassle free. So with a scientifically relevant sample size of one ;) - I declare that it’s the people that are the problem.

That is with regular updates though.

I also have a gentoo box that is fine if you let it update every week or two, but tends to need more love and attention if you turn it on again after half a year. I wouldn’t be surprised if that’s the same for arch. Users who only update twice a year aren’t really the target audience for rolling release.

It probably also depends on your hardware and what your usecases are; as always using the right tool for the job helps

A lot of people here mentioned that passwords are hashed, but unless I missed it no one pointed out the following:

The admin of your instance controls your login form and they can pull your password when you log in. So, as others mentioned: always use unique passwords, never ever reuse them.

In general a server admin can do anything they want on their own instance.

Federation wise I’d say if your home instance is the bad actor you are screwed, if it’s another instance then their capabilities for mischief hare probably (hopefully?) more limited. And any such action would likely cause a swift defederation of the malicious instance