Amazing how blacklight gives it a perfect score when, in reality, IP addresses, domains, SSL certificates and other traffic metadata are clearly visible to AWS.
Not only the data can be subpoenaed, but it's also being intercepted by the usual 3-letter agencies.
If you care about user privacy find a smaller hosting in a country with good data protection.
Even better, host the site in somebody's home in that country.
My site is just a blog with a bunch of prototypes and games.
My goal is an ad-free Internet.
If the client is worried about surveillance then it would be up to them to use an appropriate vpn - but if a three letter agency cares about who reads my blog, I‘ll probably have a lot more problems then a visitor.
Not only the data can be subpoenaed, but it's also being intercepted by the usual 3-letter agencies.
If you care about user privacy find a smaller hosting in a country with good data protection.
Even better, host the site in somebody's home in that country.
And keep in mind that this is still not enough.