If a user decides to use a third-party SOCKS5 proxy for his Telegram client, what are possible security risks for the user?
Specifically if the proxy suggests using the same login and password for anyone signing up (eg).
In particular, is it possible for a proxy owner to eavesdrop the user communication over non-private single-user-to-single-user chats?
What other risks should be considered when choosing / using a third-party SOCKS5 proxy for Telegram?
The biggest security concern for most communication system is third party abilities to sniff / intercept and decode/tampered the message. Such attack are called "Man-in-the-middle attacks" (MiTM). There are many approach to protect the message when sending from the peer to the destination and vice-versa.
For example, under HTTPS protocol, the client program will download a public certificate from the server before initiate further application communication, then it will use the downloaded server public key and encrypt the message. However, a MiTM can hijack the connection and pretend to be the server and issue its fake certificate to tricks the user. So this lead to implementation of HPKP and HSTS to "patch" the problem. Those mechanism is called a "patch" because it is based on "Trust On First Use" (TOFU).
On the other hand, messaging system such as Telegram is embedding server public certificate inside the client. This mitigate the risk of the middle-man abilities to read the message from the spoof the connection. Without the server private key. This is mentioned under Telegram FAQ on MiTM.
In short, if the user are not using a tempered Telegram client, the message are pretty safe (under current CPU power and no sudden leap on cracking on the said encryption key strength).
