The problem with E2E+G is not technical, it is political. It can be done in a way that it would only be practical for the government to use it rarely (E.g., [1]) and only for cases where there is a broad consensus that it is being used Constitutionally (or whatever is equivalent outside the US).
But getting Congress (or whatever is equivalent outside the US) to pass an E2E+G law that allows it to be done in such a way seems unlikely. They will go for a way that allows broad use.
[1] You could make it a per-device key, generated on the device itself. The device makes the Shamir secret sharing shares, encrypts them with the public keys of the shareholders, and periodically includes those includes those in the chat metadata.
To decrypt a chat, the government needs to record it, get the encrypted shares out of the chat metadata, get each shareholder to use that shareholder's private key to decrypt their share and then contribute that share for recovery of the actual chat key for that chat.
If they want to decrypt a chat from another device, they'd have to do that all over again for that device.
But getting Congress (or whatever is equivalent outside the US) to pass an E2E+G law that allows it to be done in such a way seems unlikely. They will go for a way that allows broad use.
[1] You could make it a per-device key, generated on the device itself. The device makes the Shamir secret sharing shares, encrypts them with the public keys of the shareholders, and periodically includes those includes those in the chat metadata.
To decrypt a chat, the government needs to record it, get the encrypted shares out of the chat metadata, get each shareholder to use that shareholder's private key to decrypt their share and then contribute that share for recovery of the actual chat key for that chat.
If they want to decrypt a chat from another device, they'd have to do that all over again for that device.