Enforce allowlist by default #6
Description
I understand the desire for easy setup, but karakeepbot should force users to set up an allowlist to protect them from abuse. New users may not fully understand the consequences of allowing anyone to use their bot and should treat allow-all as a last resort, not the default.
Telegram makes it very easy to discover bots and there's no way to make a bot private. Most users will naturally want to give their bot a display name or username that sounds like Hoarder/Karakeep to make it easier for them to find, but it also makes it easier for trolls to find through various Telegram scrapers or Telegram's native search.
Karakeep considers untrusted users outside of its security model, but at least spam from an unwanted user is limited to a specific Karakeep user that can be banned/removed.
In contrast, karakeepbot operates within a single user account, making any abuse from a troll messing with the bot much harder to clean up.
Supporting an empty allowlist to allow all users might be helpful as a last resort if a user struggles with finding their chat ID or does not care about abuse, but at the very least the default configuration should ship with a useless allowlist (e.g. with a nonexistent chat ID). Then the user can decide whether to provide their own chat ID or switch to an empty allowlist to enable the bot.