But more generally, your point is why I mentioned "unless the archive is considered an end and the connection to it is secure."
Consider E2E protected email service. You send me the final designs over this encrypted channel. Then I put the designs onto a USB drive and give them to my printer to print. Then I hang them as billboards all over town. This is a valid use case for E2E. Yet the contents of the message ends up visible from the freeway.
You are confusing Snapchat mechanics for encryption.
I think we're talking about this from two different perspectives. You're considering a user in someone's conversation with a modified, archiving client. Yes, you obviously can't prevent that from a technical side, and it doesn't break Signal's E2E. It would be even simpler to do this with the unmodified Android Signal client, which essentially allows message exports.
I was assuming (possibly incorrectly) that TM's client was being used as an overall messaging system by the government groups involved here, which is how TM seems to advertise it: not a single user running their client, but every (or every internal) user communicating with each other using their client. In that case each user's client would be sending each message to some recipients by Signal Protocol and other recipients by, if other comments and some parts of TM's advertising are correct, SMTP. Yes, some sender-recipient pairs are E2E in that case, but that seems a bit besides the point, as there are others that aren't, and those could be vulnerable to eavesdropping and modification.
I do realize that what I wrote in the initial comment could easily be read as something other than what I meant (it isn't E2E for the messages through Signal that is broken, but separate likely non-E2E messages); I suppose I should have expected here that doing so would result in replies focusing on that interpretation.
If you want to make sure nothing is ever archived, there is no software-only solution. If you control the hardware, in theory you can mandate that everything from the OS level-up is a reproducible build and you know for a fact that the messaging client does not allow any export feature. But also, you still have the problem of someone taking a picture of the screen. The real way to do this would be to control the software, hardware, and environment, aka a SCIF. If you want me to see classified war plans, confiscate all my electronics then show me what I need to see in a controlled environment where I can’t make copies. Messaging apps just simply can’t do any of that.
If I care more about my snapchat account than I do about saving your disappearing message minus your ability to leverage snapchat into banning my account or apply outside social pressure, then your disappearing message may actually disappear. As the stakes go up, so does the leverage required for “endpoint security” to be a meaningful security boundary.
