diff --git a/threat-model.md b/threat-model.md
index ae2912e..64a3109 100644
--- a/threat-model.md
+++ b/threat-model.md
@@ -12,9 +12,10 @@ To keep the model tractable, the following aspects have been excluded:
 
 #### In scope
 
-* Briar Android app
+* Briar Android and desktop apps
 * Tor, Bluetooth, and LAN transports
 * Single Briar identity per user
+* Single Briar identity per device
 * Single device per user
 * Creating a Briar identity
 * Adding contacts via QR codes
@@ -36,16 +37,21 @@ To keep the model tractable, the following aspects have been excluded:
   * Removing feeds
 * Malware (excluding OS/hardware compromise)
 
-#### Out of scope
+#### In scope but not yet analysed
 
-* Briar desktop app
-* Removable drive transport
-* Attachments
 * Private groups
-* Multiple Briar identities per user
-* Multiple devices per user
 * Panic button
 * Enabling/disabling transports
+* Adding contacts remotely by exchanging links
+* Removable drive transport
+* Sharing the app via Wi-Fi hotspot
+* Image attachments
+* Multiple Briar identities per user
+* Multiple Briar identities per device
+* Multiple devices per user
+
+#### Out of scope
+
 * OS/hardware compromise
 
 ### Actors