> On the other hand, if you really need true future secrecy on a message-by-message basis […] stick to normal Olm/OMEMO.

Doesn’t Olm/OMEMO also use a simple hash ratchet when sending consecutive messages from the same sending device? From memory, it only does X3DH when the flow of conversation changes direction.

It’s worth noting that if you really do want Megolm to provide full PFS on a message-by-message basis, you can just set the session duration to 1 message – except this will force a X3DH over the full mesh of devices in the room, which isn’t going to be very performant. So it ends up being a trade-off between security and usability, for a change. MLS could be a much nicer way of getting better forward secrecy without the scalability challenges.

In other news, thank you for relaying that Matrix is fundamentally different to XMPP (in terms of being a conversation history syncing protocol rather than a messaging protocol) – it’s a very welcome change to see the distinction being made by a jabber-head 🙂