CRDTs allow for decentralized replication of data. Capability security allows for decentralized control over behavior. Local-first applications often use access-control list (ACL) security which has significant downsides versus capabilities, especially in a decentralized context. In this talk, I'll examine how CRDTs and capabilities can be composed to improve the security of local-first applications using a group chat prototype as a case study.