The same was true for the official pixelfed app and the source was eventually released. Not great, but I think it is fair not to assume malice in this case.
Recent versions of Lemmy include a admin API function to mark communities as hidden, thus making them disappear from the all feed but people can still subscribe to them afaik. That is a possible alternative to outright banning the bot in case there are some people interested (it seems to be mostly NSFW subscriptions though).
Its nice as a place to talk to mostly like-minded people and avoid the increasingly common AI bot slop, but it is too spread out internationally to be a useful communication tool for organizing local activities, which is a bit sad.
2$ a month is bad advise as payment processing fees will eat too much of it. Costs are also usually much less than 2$/month/member, but that is assuming the admin labor is provided by volunteers.
Sharkey includes many improvements that never made it back into the Misskey codebase and Misskey's documentation and community support is mostly in Japanese.
I would rather suggest the Akkoma (=pleroma) and Sharkey (=Misskey) forks for a series of reasons.
They interact with each other fine, no real problems there, except Mastodon users can't see custom emoji reactions and such.
Mastodon apps generally work fine with Akkoma, for Sharkey it is a bit less smooth and also a lot of the extra functionality of Sharkey is obviously not supported in Mastodon apps.
No bridges are not end 2 end encrypted. The best you can do is host the server and bridge in your own home and thus have the bridge "end" in a secure location.
If your friends and family are not very technical, then Matrix is probably a bad idea as it tends to be quite in your face about all sorts of technical issues especially with the encryption keys and so on. It works ok usually once everything is set up though.
XMPP is IMHO the better option as the mobile apps are easier to understand and the e2ee usually works out of the box and stays out of the way unless you specifically want to mess around with it. For a friends & family server I recommend setting up https://snikket.org/ or rent a server from them cheaply.
There are also good bridges for XMPP, but setting them up requires more understanding of self-hosting.
XMPP basically uses the same end to end encyption method as Signal, but due to it not being mandatory some things are easier but come with the footgun that you can accidentially disable it (but it is enabled by default in most modern xmpp clients).
Otherwise: since XMPP federates more servers can theoretically see some metadata, but since most servers are small and community run there isn't a single big target like with Signal where you can siphon off all the metadata. So you can make arguments for both. XMPP: more meta data but decentralized, Signal: less metadata but all in one place.
Security researchers always look at a specific thing, usually the encryption only. The message encryption of Signal is great, the problem is all the rest of it that never gets scrutinized that closely.
No ActivityPub federation, but otherwise yes.