If a device is seized from a person, they are likely to be identified by their wallet or passport or appearance or who turns up to bail them or banking app or just tracking of the phone’s past locations. So I think you are talking about the risk of seizure of a contact’s device. Investigators might find the old profile name of a contact that the seized device was talking to. They might also find deleted contacts, which can persist in the database.
I agree that indefinite subject persistence is counterintuitive, and I think configurable subjects are the only thing likely to resolve the debates on subjects, since people have incompatible wants.
I think the expectation that profiles are containerized, and do not retain any information removed from the interface, is a natural one. It seems the UI acknowledges this, as a design ideal (for instance, there are settings that exist to do containerization, like per-profile proxies, and explicit warnings about information being retained after deletion). The software is obviously not perfect yet 
, but it seems to be heading in the direction you want.