sounds like you think using Aqua on iOS is a significant risk. If I understand you correctly, what are the threat vectors? Assume friend uses the Aqua app while on a data VPN such as a BTC-paid anon ProtonVPN account with secure recovery email and self-custody of email storage keys.
No I'm referring to iOS itself
threat vectors are pretty basic opsec questions