zkz
Correct me if I'm wrong, but if I understand correctly, the Ibex protocol implemented by Threema at the end of 2022 seems to have implemented PFS beyond TLS:
"At the transport layer, Threema has always supported Perfect Forward Secrecy (PFS). And just like for group calls (see above), PFS has always been enforced at the end-to-end layer for individual calls. The new Ibex protocol now also supports the exchange of ephemeral keys for chat messages on the end-to-end layer (with ECDH). A new key is used for each message, from which it is not possible to derive previous keys (thanks to KDF ratcheting)."
Here an external security analysis of the Ibex protocol.