Asklemmy

Depends on what you consider to be important for being "safe".

Using matrix as is out of the box is relatively secure but you need to be aware that a lot of metadata ends up on the servers of a UK based for-profit & venture capital funded company (New Vector).

Xmpp on the other hand requires a bit more research to find a good server and client, but it can be made to be extremely secure, especially when self-hosting and/or using Tor for connecting to it.

IMHO there is no silver-bullet and every option comes with trade-offs. Depending on you needs other options like Threema, Signal and Telegram with their e2ee & open-source clients but centralized servers can also be worthwhile to look at.

Getting end-to-end encryption work seamlessly is difficult on XMPP, and you would end up not secure. Matrix does have very good defaults and has e2ee enabled by default. It also has a different passphrase to decrypt history if you need to change the device.

Edit: typo.

XMPP is more safe, I can't remember what exactly but I remember the whole XMPP vs Matrix thing, and matrix has this metadata problem, that spreads like a literal virus; instead of exchanging individual messages- entire chats while encrypted is stored in each server you federate. in regards to privacy Matrix isn't the best. on top of that most people sign up matrix on matrix.org so that's a huge chunk of metadata.

However, your family and friends are sometimes boomers when it comes to signing up for xmpp. so what I'd do is use both and spoonfeed them every step of the way to use xmpp. I'd like to make an easy guide for xmpp one day.

I'm not an encryption or security expert or anything, but the thing that you have to be careful about with Matrix is that you are going to find yourself most of the time chatting in rooms which log messages forever. That's not the case with every room; it depends on the settings, participants, and certain events that might cause the room to stop existing in the future or lose its copies of the messages, but generally what you are looking at is the system the way its designed fights against losing that kind of information. (Matrix federation makes the room copied onto as many servers as it can.) You will just want to be mindful of how you chat on there, for example don't say things you don't want someone to look up 10 years from now. It's kind of a privacy nightmare, but you can just try being careful, for example by staying pseudonymous, and if you mess up somewhere delete those messages.

The difference here with XMPP is that, while servers can log chat rooms, most of the time they are configured not to. History is usually temporary just for convenience (that is, offline messaging) and may go back anywhere from a few days to a few weeks. Chat rooms live on only one server that hosts them, so they are not duplicated onto other servers.

In either case, clients could still be logging and so on, so you should always be mindful of how much you trust both the service and the people you are communicating with. E2EE is available on both platforms, which you should utilize anyhow, but mainly I'm talking about public chat rooms.

Matrix probably by default, because most Matrix clients already support E2E out-of-the-gate (Element, Mirage, FluffyChat for iOS, Syphon for Android, KDE NeoChat, nheko). Though you could also have E2E on XMPP, it'd just require more effort to find the appropriate plugins/settings on your part, than with Matrix.

Test