Nice work! Amber looks great.

Question: If a web application doesn't sign events or decrypt anything is it possible to request only the read pubkey permission?

If so I'll definitely try to integrate with noswot.org so the app doesn't appear to request sign/decrypt permissions when they're not needed.