Sorry, I'm probably explaining myself poorly. I much prefer chat systems with PFS because it mitigates the blast radius of a key leak, I get that. What I'm saying is, if you store a message history that contains the plaintext that Mallory wants, and it's stored in the same way the identity key is, PFS doesn't get you much.
The attacker who has all your ciphertexts needs the decryption key to get the plaintext (which she wants). Now, with a PFS scheme the key gets deleted as soon as I receive and decrypt the message, so the attacker is out of luck, basically (even if she gets my long-term key). However, PFS only moves the target to my plaintext message database...which is stored the same way my key is (as I understand it). So really, unless I purge my message history with some regularity (I do), then the stakes are the same -- don't let the attacker get access to the device.
But most people prefer to have all their chat history available and searchable, at which point individual decryption keys don't matter and therefore PFS doesn't, in my opinion, help much.
The attacker who has all your ciphertexts needs the decryption key to get the plaintext (which she wants). Now, with a PFS scheme the key gets deleted as soon as I receive and decrypt the message, so the attacker is out of luck, basically (even if she gets my long-term key). However, PFS only moves the target to my plaintext message database...which is stored the same way my key is (as I understand it). So really, unless I purge my message history with some regularity (I do), then the stakes are the same -- don't let the attacker get access to the device.
But most people prefer to have all their chat history available and searchable, at which point individual decryption keys don't matter and therefore PFS doesn't, in my opinion, help much.