Thanks for the replies. Security is not too much of a concern -- there is zero PII or sensitive information in these list objects. The photos would not need to be synced -- the data in the list is enough to fetch/generate a photo on each device, it can just be stored locally after being retrieved/created once using the list data. The fact that CloudKit means users are paying for their own cloud storage is a good point though. But that's not going to translate across platforms -- if I launch a web and Android app, unless those users are iCloud subscribers, I'm still going to have to come up with a cloud storage backend, and then I've got to integrate and maintain two storage systems, right? And if I do that, how would a user of the Android app who does not have an iCloud account share one of these lists with an iCloud/iOS user? If you're planning to go cross-platform and not requiring an iCloud account, it would seem this approach is just going to add a lot of complexity.