Absolutely correct, good job pointing it out.

What we need here is some form of repudiation of notes, so that you can later say "I never wrote that". It's effectively deletion.

One way is that you can limit the time your notes/posts are valid. Each note will be signed by a temporary key that's valid for, say, a week. The temporary key in turn will be signed by your permanent key which is your identity.

After a week you publish the secret key to your temporary key. This will dissociate any note you signed with the temporary key from your identity because now everyone could have written and signed it.

Then you generate a new temporary key for the next week. I would expect relays to purge expired notes on a regular basis because what's the point of a note without an associated identity.

If you want your notes to be valid for longer than a week you'll have to re-sign them each week with the current temp key. There can be good UX and automation to make this easy.
 

 This only works with repudiation by key rotation. I don't think you've understood that.

nostr:nevent1qqstxfs92x47k4y67jtm8lhj3uckyzramkpsth9mstdpf0ee3jz2myqpzamhxue69uhkummnw3ezu6rpde4ksatz9ehx2aqzyprmuze238a25e4u2l6uv7fqxjrd53txq22uk0dnctec7jlgmzqkuqcyqqqqqqg7u95l6 

 Repudiation is desirable (I believe SimpleX is actively working on it) ofc.

But the lack of it does take away the advantages of message timers in 99% of cases. It's a passive defense for when you are not being actively targeted.

Yes, if chatting with a fed and confessing a crime, it won't save you. 

 @simplex has always had repudiation on the e2e layer but from the handling of the SMP protocol you could construe non-repudiation and that's being fixed now.

Now what's a "message timer". 

 Messages that self-destruct after X amount of time.