this looks great for most use cases. most interception has been ruled out by the simple protocol for rooms, where the remaining attack appears to be just to clone the users keys, where it's more viable to attack the phones than the protocol, which is the point.
the spitball questions I would ask might be, a) how do you handle a theoretical timing attack where the time to respond to a room scan could yield whether a given device is a member of a known room, (the paralellism?) and b) does the GCM counter IV/nonce value cluster around rooms, so the counter for a given room will be in a shared range?
not dealbreakers or anything, this is simple and cool for its purpose, but design consideration wise, what's the thinking on those scenarios?