Circumstances I think this can happen: you receive a msg encrypted to key A while offline. You go online, and after authenticating replace your public key with B, keeping the A just for this session to receive previously sent messages. But you go offline again before downloading them all, so there's still a message encrypted to A on the server, but when you come online again, you don't have the private key to A anymore.
Since this could theoretically happen an arbitrary number of times, we might need to keep a slice of ephemeral private keys. (This would require updating libsufec too) We could discard a key only after we first receive a message encrypted to the next one.
I think another way this can happen is a race: if you connect, replace your key, and download all old messages, but a sender connected and received your old key before you replaced it but doesn't finish sending their message until after you've received all old messages and discarded the old key.