Prevent adding additional users to private messages?

Hi there. I’m seeing concerns from users about the ability to add additional users to a private message topic who can then see the entire message thread, resulting in a possible intentional or unintentional doxing if somebody posted private information earlier in the thread.

The expected behavior for these users is that added users would only be able to view the private message thread from the point where they were added. This sounds ideal to me too, but hard to implement from the Discourse point of view.

I wonder if it would be feasible in the short term to disallow adding users after a private message thread is started, possibly only allowing removals?