Privacy
Privacy is a property of the architecture, not a promise in a policy.
A policy is a claim. It says we will not do the bad thing, and you are asked to trust it. An architecture is different. It arranges the system so the bad thing cannot happen, and you can check for yourself. Prefer the guarantee you can inspect over the one you must believe.
The origin makes this concrete. The corpus is public by design. It is meant to be read, cited and invoked. Everything else, anything a person or a product holds that is not corpus, never enters the origin at all. What is never collected cannot leak. It cannot be subpoenaed and it cannot be sold. The strongest guarantee is structural, not contractual.
Privacy and provenance are the same discipline seen from two sides. Provenance proves the lineage of what you publish. Privacy keeps everything else out of reach. An origin proves where its published knowledge came from while disclosing nothing about who asked.
Privacy by architecture is the principle. Build so that a leak is a bug you can find, not a policy you have to trust.