However, because of a lack of cross-signing support, it was disabled by default for a long time. The protocol and UX improvements to allow multi-client multi-receiver end-to-end-encrypted messages came in about a year or two ago, which precluded the need for every user to verify every device of every other user they're talking to. The default flow is to verify each of your devices yourself, and others verify against your key only once. However, it's technically not required to cross-sign your keys, so it's perfectly possible to force others to verify each device of yours if you want to enforce some extra security. Not very practical, though.
So: protocol wise, encryption has been in there for a while, but client support and ease of use were major constraints. Modern cross-signing support (and uptake of encrypted messages by alternative clients) have helped a lot in actual adoption of the encryption abilities the protocol already had.
