It's not just a decentralized network, it's an open membership decentralized network, i.e. anyone can be a node, and any compatible software can be used to run a node.
What the parent posters are saying is that there's no way to trust that your (encrypted) data won't end up landing on the hard drive of someone who chooses to capture everything that passes through said hard drive.
Whether the node itself keeps the data is kind of immaterial, if there's no technical limitation preventing the owner of the node from keeping your data.
But also, as an open-membership decentralized network, there's also no real way to incentivize node implementations to obey deletion requests.
It's helpful to think about peer-to-peer networks as if every node was programmed from scratch by the person or organization running it, to do exactly and only what that person/organization wants it to do. (Not true, obviously, but the incentives behind there being a free market of p2p node software work out similarly to if it was.)
In such an environment, why would a given node owner want to add a "read a deletion-request log, and actually-delete everything mentioned in it" feature to their node in particular? Especially if they weren't a party with their own private data stored that they were interested in ever deleting, but instead were only on the network to make money hosting other people's stuff; or because they wanted to insert public data sets onto the network?
In terms of an incentive, I would say that the node owner would honor the deletion request if the network pays them to do that. If I'm a node operator I don't so much care about the particular data I'm hosting, just what the network is paying for me to do.
The threat model I'm thinking about is a malicious actor requests an IPFS object that he/she knows holds data that is valuable, but that they can not decrypt. They then hold this object for a period of time till at some point they are able to break into it using improved computing power or exploiting some flaw in the implementation.
Now, you raise a good point about Filecoin being an open membership network. In my particular example, the malicious actor could just decide to run an IPFS node and start holding any data that comes to it for future malicious purposes and maybe they start pulling down specific files that they want to target directly. I don't have a solution to this other than to think that having some reputation built into the IPFS node network could help mitigate that risk. You might imagine that nodes with high reputation are trusted and it is harder(requires a lot of time/money) as a node operator to become part of that group. People might decide to only trust the highly reputable nodes with their private data and utilize all nodes for public data.
What if they claim publicly to delete your data, accept decentralized payments to delete the data, actually delete that data on the node in the sense that nobody can retrieve the data on the public internet using any official protocols, but routinely take filesystem-snapshots of their servers and the owner browses them offline undetectably at their leisure?
Then 3 years later all the snapshots end up on a torrent site, after you paid that whole time to "delete data".
Yes, I think that is a risk in the absence of a true "Proof of Deletion". Perhaps though it would be so expensive to maintain a copy of all this data that no one is paying you for that nodes would be incentivized to just perform the actual deletion, since the rewards of keeping the data are unknown and the time horizon for maintaining that data at your own expense is unknown.
What the parent posters are saying is that there's no way to trust that your (encrypted) data won't end up landing on the hard drive of someone who chooses to capture everything that passes through said hard drive.
Whether the node itself keeps the data is kind of immaterial, if there's no technical limitation preventing the owner of the node from keeping your data.
But also, as an open-membership decentralized network, there's also no real way to incentivize node implementations to obey deletion requests.
It's helpful to think about peer-to-peer networks as if every node was programmed from scratch by the person or organization running it, to do exactly and only what that person/organization wants it to do. (Not true, obviously, but the incentives behind there being a free market of p2p node software work out similarly to if it was.)
In such an environment, why would a given node owner want to add a "read a deletion-request log, and actually-delete everything mentioned in it" feature to their node in particular? Especially if they weren't a party with their own private data stored that they were interested in ever deleting, but instead were only on the network to make money hosting other people's stuff; or because they wanted to insert public data sets onto the network?