So, on that topic of “security” - just remember that whenever you post, your post is essentially sent to every “instance” that is federated (and listening for the community you posted to). Each instance is it’s own server running it’s own version of an activitypub implementation (lemmy, mastadon, etc).
So on lemmy.world that means your post is sent to literally thousands of servers that you cannot directly influence. If you delete a post, a request is made to those servers to also delete the post, but if that instance is modified or unavailable when the request is sent (it’ll re-try, but there’s a limit how many times), then it’s possible your post will not be deleted and you’ll never know.
Keep in mind this also means that anyone, say a government or private company, can establish an instance, federate, and receive the posts of everyone. Their instance may be nearly completely invisible - so you won’t know they’re collecting that information.
However, lemmy stores and sends almost no information about any user. A user profile does not contain IP address or country or anything. All of that stays in the server logs of the instance you originate from, and never enters the database. So your “true” personal information isn’t shared, but your account name, and a link to your account, and the post content (whatever text you add) is shared.
Lastly, images tend to be shared. Lemmy uses “pict-rs” which is a FOSS image hosting server, and when an instance receives a federated post, if there is an image in the “URL” field, then it will ask pict-rs to download that image to its server for easier serving to its users.