Matrix/Riot.im is federated and has E2EE. It also has brigdes for IRC, Telegram etc. Here's a native client for macOS: https://neilalexander.eu/seaglass
Matrix is also experimental. About a year ago it kept losing my key meaning I couldn't decrypt old messages. I still use matrix, but I don't have any illusions that it's more secure than tox.
We're not aware of any bugs where Matrix clients lose your e2e keys (other than one where changing your password may cause clients to log out and remove keys for safety). If you saw it keep losing keys, i'm going to guess you configured your browser to delete local storage when you close the tab... in which case, unless you export the keys, we have nowhere else to store them.
That said, we've also just implemented the optional ability to encrypt and backup your keys on the server, but obviously comes with other tradeoffs.
I tested riot.im in a private Firefox window recently, obvious with hindsight but it didn't occur to me I should export keys and I didn't spot anything in the interface to make me aware or prompt me to action.
Great to hear you've added the option for server stored keys now.
Yes. Each client runs a Tor .onion service, and there's end-to-end encryption. So arguably, users are mutually anonymous (except for their .onion addresses).
But it's only available for Windows, macOS and Linux. On Android, there's Briar, which is similar.[0] But Briar can also connect via Bluetooth and WiFi. That's useful when the Internet is unavailable. But it's bad because user anonymity could be blown.
I was working on a self-hostable web interface for a while. There's a public instance at https://ricochet-web.org/ but unlike the official client it hasn't been professionally (or otherwise, for that matter) security-tested and is vulnerable in various ways the official client isn't. It also has quite a few known and unknown bugs.
Web client: https://riot.im/experimental/