Hello
@User
This depends on your security requirements, but in general it is a best practice to not store more information in the identity schema than is needed.
So ideally all business-related information you can store in application backend and everything that is needed for auth you should store in the identity schema.
there are no hard & fast rules to this, there might be expections where it makes a lot of sense to store more information in the identity schema.
be aware that (currently) users can view and modify identity traits - there is an issue open to provide more control here:
https://github.com/ory/kratos/issues/47