The policy url custom subpacket (set to TREZOR-GPG) is shared when a public key is distributed. This metadata can hurt anonymity since it conveys that a public key's owner is also a Trezor owner/trezor-gpg user. This is bad for OPSEC.

If possible libagent/gpg/encode.py should find a different mechanism to determine signer_func which does not require additional key metadata.