> In the exports, the posts are signed with the users private key.

This refers to the full archives you can export from within Mastodon of your own activity.

There is every reason to make it easier for people to have always-up-to-date backups of their data because the current process means people need to actively think about it. That is a valid concern (and it really annoys me that Mastodon does not include the post signatures in the JSON served up by the API too, which would make it far easier to keep an up-to-date archive; there's no real reason not to). But as long as* the user has an up to date export, and as long as the other instance has seen your public key before or can otherwise verify it with a truster party, the authenticity of that data can be verified. It's not ideal, but it's an option.

Improving on this would also be easy, and I strongly think that once someone adds an import, the other side of that coin really is to push to ensure signatures for posts are included in the API output, and e.g. encourage apps to opt to let users keep a full copy of their signed posts (that part of the design of Bluesky is one I like) offline. I also do think that the Bluesky choice of ensuring the user has access to a recovery key is good, and would love to see something like that added for ActivityPub as well - with or without Mastodon core devs agreeing. It doesn't solve everything, and you'd still be limited until/unless major instances buy in, so, sure, it's possible and maybe even likely that there will be a time period when Bluesky does better than Mastodon on it. Then again once they turn on federation, that might well get Mastodon devs to take this more seriously.