your private key is your identity in Delta Chat, once someone gets your key, your profile is done for, they will be forever able to decrypt, spy and impersonate you, hence it is very important that if at any time “add second device” or manual backup option is used, a device message is added and it is not possible to delete it at least for X days. It must also be added the other way around: if you import a backup, so it is clear this is not a fresh account but a restored backup or second device and that potentially there is another device watching this account
currently for “add second device” a device message is added, IIRC for manual backup no device message is added at all, in any case it is super easy to just remove the device message after stealing someone else’s backup, for example, it seems some people have been doing this already, read this comment:
many companies with which I cooperate like DeltaChat and they ask to install this secure mail client for them, very convenient and synchronization between computers works perfectly. I make a second device after installation on my smartphone, thereby I monitor all companies to which I provide this service, through DeltaChat using this vulnerability.
Sure, I don’t do that kind of thing, but this would make it clearer that it’s very simple and that this issue should be addressed as a priority — even if not completely, at least implemented in the way I described earlier: