During its initiation, the client creates two new Droplets (let's call them First Node and Second Node) inside Digital Ocean containing nothing else but a simple Tinyproxy proxy daemon. Next up, it creates a SSH tunnel from your machine to the First Node. If you then change your browser's (or any other app or a system which has basic support for proxying) proxy settings to http://localhost:8888, all of your network activity will be routed using Droplet via SSH tunnel. After 30 minutes, the client will automatically connect to the Second Node, then creates a new fresh First Node instance for future use, and then eventually sunsets the original First Node by destrying it for good. The cycle of renewing your exit nodes (and thus IP addresses) will keep repeating itself as long as you have the client running. This way you can get stay pretty private, but still enjoy decent internet speeds.
Each time a Droplet is created, a phonehome call is made from it to Cloudflare KV containing Droplet's public host key, which will be then queried by supershy, and henceforth added to your SSH's known_hosts file. When SSH client is connecting to the SSH server, strict_host_key_checking will be enabled. This adds a layer of security against possible MITM attacks.