TBH the bandwidth concern seems.....off. Even with long event IDs / room IDs, they are still significantly shorter than event contents themself, especially due to all the (edit, reply) fallbacks, when we start signing and whatnot. The length of event ids / room ids is insignificant compared to that.

Sounds like replies need fixing that they have to be in the same room, then?

There's use cases popping up (threading) where it might actually be useful to do cross-room references. Replies might be a natural extension to this.

one option would be that, if the referenced event is not in the same room, the client has to also specify a room_id in the m.relates_to, next to the event_id.

I am a bit worried that server implementations are vulnerable to a kind of attack where someone sends an event id but a mismatching room id. Or an event with auth events from a different room.

That would mean different room_id in the path and in the body?

The security properties of the event DAG rely on a strong cryptographic hash function to prevent collisions. Namespacing events at best does nothing to improve on this security¹, at worst reduces security because now you need to make sure the room ID is correct in multiple places.

Timo alludes to this, but it's a real problem we've had in the past when developing servers. Naively, a developer thinks that if you get a 200 OK from GET /_matrix/federation/v1/room/:roomId/event/:eventId that the :eventId is in the room :roomId, but this is not true. The only place that matters is the event JSON. As such, you have to check the JSON anyway, so what on earth is the point of adding :roomID other than to create a footgun for server developers?

We should be designing good APIs which don't lead developers to write insecure servers. Adding GET /_matrix/federation/v1/room/:roomId/event/:eventId is not a good API.