> Matrix supports the concept of “key sharing”, letting a Matrix client which lacks the keys to decrypt a message request those keys from that user's other devices or the original sender's device.
I'm a bit curious why you'd ever need to request those keys from somebody else, in addition to your own devices (or your homeserver, where they'd be stored encrypted by a key known by your own devices).
The recommendation is that devices only accept requests to share (forward) keys from a) other devices belonging to that user, b) the device which originally send the message.
It's acceptable to gossip keys between your own devices (assuming you authenticate them correctly!) given... they're all your own devices.
It's also acceptable to request the sender to re-send the keys to you, given the sender knows for sure whether you were allowed to receive the key (given it made that choice in the first place).
It's not acceptable to request keys from other devices in the room, as they won't necessarily know whether you were actually allowed to receive the message key you're requesting - only the sender knows for sure whether it should have been sent to you; it was their key after all. Plus it would risk make vulnerabilities like the one in question here even worse, given anyone could try to exfiltrate messages from anyone else, rather than "just" the sender (as was the case here).
Imagine you're a "normal" person who has a phone and doesn't really use a computer. You lose your phone and want to retrieve the history of a chat you had with your friend on the new phone. You ask your friend to send the key to your new device.
I'm a bit curious why you'd ever need to request those keys from somebody else, in addition to your own devices (or your homeserver, where they'd be stored encrypted by a key known by your own devices).