Please examine the server-side code below. Assuming that data.id is abc77 at some instant, will every connected browser receive a socket message 'my_model/abc77:update', or only the ones that have subscribed to this particular message, regardless of whether the socket.io event is raised or not?

To clarify, using a practical application: will a hacker be able to receive the message 'my_model/abc77:update' using the browser's developer console, even if his instance of my application has no subscription to it, not knowing that data.id is abc77?

var io = require('socket.io');
io.listen ( server ).sockets.on ( 'connection', function ( socket ) {

    socket.on('my_model:update', function(data, callback) {

        database.save(data, function(err){
            if (!err) {
                callback(data);
                socket.broadcast.emit('my_model/'+data.id+':update');
            }
        });

    });
});

It's broadcasted to every other socket connected. To restrict the broadcast to a certain group of sockets, use rooms.