https://spec.matrix.org/v1.11/client-server-api/#mmegolmv1aes-sha2
As of v1.3, the sender_key and device_id keys are deprecated. They SHOULD continue to be sent, however they MUST NOT be used to verify the message’s source.
Clients MUST NOT store or lookup sessions using the sender_key or device_id.
In a future version of the specification the keys can be removed completely, including for sending new messages.