One idea for improvement: it is technically possible to edit JPEG files losslessly to some extent: specifically, single 8x8 blocks can be changed at will without quality affecting recompression. So one could just blur those blocks in the original images and save the blurred version only. Bonus: create a small file with the changes as an “unblur-diff”, and store that somewhere much safer, e.g. give that to the user.