I am writing a decentralized application that lets certain privileged users post messages to other users. These messages should be encrypted so that only the two of them can read it. Messages are posted onto IPFS, so that anyone can read the ciphertext.
Currently, I am using OpenPGP to encrypt from one user to the other. However, I was reading about perfect forward secrecy's usages (e.g. in Signal, Megolm), and it seems like a requirement for a secure chat app.
However, in my case, users must always be able to read message history, ideally from any device with the private key. I could still do this with PFS, but I'd have to keep decrypted message history on the device, correct? Thus, (as keybase alludes to), isn't perfect forward secrecy useless if compromising a device always yields both the long-term key and all past history?
Essentially, are there any benefits that PFS still offers versus traditional public-key encryption, perhaps augmented with the ability to stop encrypting to compromised devices in future messages?