Why does it guarantee insecurity? Clients have to store events privately already (many use hardware-kept keys), so I don't think the extra encryption from MLS payloads will make a difference. Plus, chat screens tend to require lots of secondary cache/storage to make sure screens load fast, like the last message of each person to build the chat's home screen, pre-parsing markdown/quotes into their own cache, etc. There is no way the protocol can protect from a lousy client.  

 Yeah. I came to the same conclusion. But I still don’t know if I’m going to add group metadata to the events themselves.

“We kill based on metadata”

In any case, there are other ways to keep pointers to the right events around if you need.