The note is packaged in the browser
When you create a note link, the browser encrypts the note text before the share package is built. This approach is different from typing the note into a plain form and trusting a server to store it later in readable form.
The link carries the package
In this static build, the encrypted package lives in the URL fragment. Browsers normally do not include the fragment in the HTTP request to the server, which helps keep the packaged note out of normal server request logs.
Passphrases add a second step
If you choose a passphrase, the note is encrypted from that passphrase and the recipient must enter it before the note can be opened. This is most useful when the link alone should not be enough.
What this build does not pretend to do
It does not claim server-enforced one-time destruction, account-based permissioning, or enterprise-grade audit controls. The goal is a simpler browser-side privacy tool, not a full secure communications platform.