I suspect the answer you're looking for is that it's not necessary, but the much more likely reason is that the UX is horrible and it's error-prone, and even out of the few people who use PGP for this kind of stuff, a fairly sizable chunk of users probably don't even know what forward secrecy is. I would say the expectation that PGP users need to be informed enough about encryption to make a personal decision for themselves when to change their keys is itself a somewhat damning indictment of the PGP ecosystem. You shouldn't have to be an expert in this stuff to have good encryption.

Zooming out a bit, we could ask the same question that you've posed about email more broadly: why do most email users not bother with PGP encryption at all? Why do many client developers decide to not even add support to their apps?

If you take the perspective that lack of mainstream adoption of a security technique is evidence that the security technique has no value, then it's hard not to conclude that SMS and Facebook Messenger are both fine and we're all wasting our time with encrypted messaging of any kind. But my perspective is that people use more secure tools (in part) only once they're at least as accessible and usable as the other tools/platforms that they already have.

----

From your linked article:

> This process is very manual. There are no GnuPG --preburn and --burn commands to automate this. This suggests that this is not something that is commonly done. Most people don't fear the exposure of their keys enough to make this worthwhile for this sort of system.

PGP does not have a generally accessible, vetted way to automatically create those subkeys and distribute them that any non-technical (or even reasonably technical) user can take advantage of: if it did then the blogpost wouldn't exist. So of course people don't do that stuff, it's not surprising that people don't manually edit keys. The problem is when developers and proponents then respond to that by saying, "we don't need a generally accessible, vetted way to automatically create and distribute subkeys because people don't do that." Then the whole conversation starts getting really circular.

People use forward secrecy in Signal because it's on by default and works even if they don't know what forward secrecy is. Of course sometimes we can look at an ecosystem and we can take cues about user needs based on what they currently use. However, you have to be very careful about that. Don't fall into the same trap that (just as one example) Mozilla falls into, where they'll move an option into a buried preference menu and then say, "no one is clicking this anymore, guess we should remove it from the browser entirely." Sometimes users don't use features purely because they're not convenient, or accessible, or because they don't know the features exist.

It's also worth noting that broadly, most E2EE messaging platforms are moving towards forward secrecy, and PGP encrypted email is somewhat of an outcast in saying that forward secrecy doesn't matter. So it's not really like forward secrecy is easy everywhere and people go and turn it off because they don't need it. Increasingly, it's just older systems like PGP where people have decided not to approach messaging this way. I would posit the reason for that split is because PGP has bad UX for forward secrecy and most people using it or building around it know that doing unconventional things in PGP is a recipe for accidentally shooting yourself in the foot.