Grubbs et al. acknowledge in their CCS'16 paper that Attacks 1 and 2 are out of scope for Mylar:
- Page 1355: "Mylar explicitly does not hide access or timing patterns"
-
Page 1359: "every principal in Mylar has a name, which is used to verify the authenticity of keys and thus intentionally left unencrypted by the Mylar developers."