If Canton’s multi-domain architecture is designed to enable institutional interoperability while preserving privacy and finality, how can institutions be certain that trust assumptions do not silently shift from protocol guarantees to sync domain operators, infrastructure providers, or cross-domain coordination mechanisms during real-world failure scenarios?