First off, I read this page (and a few others): Recovery seed - Trezor Wiki
I am trying to understand the relationship between the passphrase and the Xpub (or Zpub for native segwit, etc). I am reasonably familiar with the privacy implications of Xpubs- if someone knows it they can track all your future addresses.
Basically, a new “master binary seed” is used every time you plug in the device. If you never use a passphrase, then cool- you are always using the same master binary seed. The 12 word recovery seed hashes into the master binary seed with no other considerations. Same if you always use the same passphrase.
- So is the master binary seed essentially creating the Xpub?
- If one day you decide you want a new Xpub for privacy reasons, can you just throw a simple passphrase at the end of the 12 word recovery seed to get an entirely new Xpub?
My understanding is that because the master binary seed is a HASH of the 12 word recovery seed + the passphrase, then even the smallest change in passphrase will yield a massive change in the output So, for privacy reasons you could just add a single letter or number.
For security reasons, you may want to consider a strong passphrase.