In light of the current security vulnerability I would like to highlight the significantly weaker Megolm e2ee deployed in Matrix. Excerpt from the article:

On the pro side of things, trust management has been simplified as the user basically just has to decide whether or not to trust each group member instead of each participating device – reducing the complexity from a multiple of n down to just n. Also, since there is no new randomness being introduced during ratchet forwarding, messages can be decrypted multiple times. As an effect devices do not need to store the decrypted messages. Knowledge of the session state(s) is sufficient to retrieve the message contents over and over again.

By sharing older session states with own devices it is also possible to read older messages on new devices. This is a feature that many users are missing badly from OMEMO.

On the other hand, if you really need true future secrecy on a message-by-message base and you cannot risk that an attacker may get access to more than one message at a time, you are probably better off taking the bitter pill going through the fingerprint mess and stick to normal Olm/OMEMO.

[…] Megolm is also used in one-to-one chats, as matrix doesn’t have the same distinction between group and single chats. He also pointed out, that the security level of Megolm (the criteria for regenerating the session) can be configured on a per-chat basis.

So my take-away message is that New Vector is a bit dis-honest when they say this is not a security vulnerability in the encryption protocol itself but only an issue with sharing keys between (untrusted) devices. But in reality only this significantly weaker implementation of the double-ratchet algorithm makes this kind of attacks possible in the first place. By improving how the keys are shared, they make it harder to exploit this issue, but it remains an issue that could be exploited in the future.

Disclaimer: I am no cryptography expert and this might be FUD :)