There is no warning about "sayto" being insecure, aside from a source code comment
Someone pointed out to me that the following comment appears in hu_stuff.c
:
// I just want to point out while I'm here that because the data is still
// sent to all players, techincally anyone can see your chat if they really
// wanted to, even if you used sayto or sayteam.
// You should never send any sensitive info through sayto for that reason.
I don't think this warning is enough, because I imagine the vast majority of players have never looked at the source code, and as such, will never see it. Some type of in-game warning is needed, so people will actually know not to send sensitive info.
Even better, of course, would be to change it so the chat is more secure, but then the server host could still be snooping, so a disclaimer would still be necessary.
Edited by Sparkette