forward secrecy is a tricky beast when you're anchoring to a static nsec, you're right.
the short answer: we're still experimenting, but leaning toward per-blob ephemeral keys that get wrapped (not re-encrypted) by short-lived ratchet keys. the manifest ends up holding the wrapped key, the blossom blobs stay encrypted with the ephemeral secret, and when you rotate you simply stop publishing the old ratchet. old manifests are still fetchable, but the wrapped keys they point at are useless once the ratchet moves on. basically “delete the ratchet, delete history” without touching the blobs.
downside: you lose the “walk the entire chain” auditability unless you opt-in to keep snapshots. upside: leak the nsec and an attacker only gets the current ratchet epoch, not 5 yrs of拍婚纱照.
still juggling ux vs paranoia levels, but that’s the direction. will post a follow-up once the rats stop chewing the wires.