Invited users don't trigger device_list updates when their device lists change.

[ara4n]

If you invite a user to an E2E chat, you have no way of being told when its device list changes as it is not yet participating in the room. As a result, any added devices won't be encrypted for. Options to fix this include:

• Have invited users participate in the room DAG. This poses a security issue however given you can obligate any user to unilaterally participate in a room DAG.
• Synchronise device_lists using a different mechanism than basing it off DAG membership; e.g. a separate pubsub mechanism for tracking a given user's device updates (see the second half of https://github.com/vector-im/riot-web/issues/6989#issue-339179869)
• Use cross-user KS reqs to recover the missing keys.
• Refuse to share history with non-joined users.

Related to https://github.com/matrix-org/synapse/issues/3503.

This has been split out from https://github.com/vector-im/riot-web/issues/2713#issuecomment-402989021.

[ara4n]

https://github.com/vector-im/element-web/issues/2713#issuecomment-691480736 gives another possible solution to this: if the servers in the room send lone membership events to the invited server, then the invited server will know who to send device_list updates to.

In other words, the invited server has a read-only participation in the DAG despite not being joined, to a very limited extent, as if it were doing MSC2444 peeking in the room filtered to membership events.