Ooh this is interesting. Theoretically these could still be associated with my account right? Since you need to use my session token to generate these privacy tokens. Is there a technical explainer somewhere with instructions for setting this up without a web extension?
> When an internet challenge is solved correctly by a user, Privacy Pass will generate a number of random nonces that will be used as tokens. These tokens will be cryptographically blinded and then sent to the challenge provider. If the solution is valid, the provider will sign the blinded tokens and return them to the client. Privacy Pass will unblind the tokens and store them for future use.
So it seems like as long as the cryptography is done right and Kagi's webextension does what it says, they are actually private.
Edit: Looking into it, it seems like this uses the same mechanism for tokens as Cloudflare's turnstile system: https://privacypass.github.io/ or for the proper standard https://www.rfc-editor.org/rfc/rfc9578.html
Excerpt that explains how it works:
> When an internet challenge is solved correctly by a user, Privacy Pass will generate a number of random nonces that will be used as tokens. These tokens will be cryptographically blinded and then sent to the challenge provider. If the solution is valid, the provider will sign the blinded tokens and return them to the client. Privacy Pass will unblind the tokens and store them for future use.
So it seems like as long as the cryptography is done right and Kagi's webextension does what it says, they are actually private.