I don't know firsthand, but I believe they encrypt each message for the recipient, hence the scaling issues. They've been working on adopting MLS for 3 years, which will help a lot when it gets done.
nostr:npub1jlrs53pkdfjnts29kveljul2sm0actt6n8dxrrzqcersttvcuv3qdjynqn and nostr:npub1xtscya34g58tk0z605fvr788k263gsu6cy9x0mhnm87echrgufzsevkk5s were talking about this on a recent Thank God for Nostr podcast.
My takeaway was that it's very good but has serious scaling limits because of this.
Discussion
encrypted group messages are an unsolved problem as soon as the group becomes too large afaik
That's what MLS is for, it reduces the amount of messages needed from O(n) to O(log(n)). Which is nice, but still doesn't scale as well as O(1) which is what you get with shared keys (at the expense of much worse security).
the most important thing is that Matrix does not encrypt metadata
Matrix can be run Sovereignly. This helps as you are in full control of who you add into the rooms. Also, you can customize the server where no emails are used. It goes without saying don't dox yourself with a username. Also, if you federated with only other sovereign runners of their Matrix instance your attack vector is highly minimizesd.
It's ok for government, enterprise, etc., but not for casual users.