However, because send and receive keys are derived from independent traffic secrets, retaining the receive traffic secret does not threaten the forward secrecy of data sent before the sender changed keys.
Comment> I can't parse the above line. In TLS 1.3, the send and receive keys are derived from the main secret and if the main secret is compromised, both the send and receive keys can be calculated by the attacker. I get that with HPKE, the send and receive keys are derived from independent traffic secrets.
However, because send and receive keys are derived from independent traffic secrets, retaining the receive traffic secret does not threaten the forward secrecy of data sent before the sender changed keys.
Comment> I can't parse the above line. In TLS 1.3, the send and receive keys are derived from the main secret and if the main secret is compromised, both the send and receive keys can be calculated by the attacker. I get that with HPKE, the send and receive keys are derived from independent traffic secrets.